Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cmd.exe

Overview

General Information

Sample name:cmd.exe
Analysis ID:1385352
MD5:cb6cd09f6a25744a8fa6e4b3e4d260c5
SHA1:e9be2f86e3a3bff02d1953aeccf0ed22284596d4
SHA256:265b69033cea7a9f8214a34cd9b17912909af46c7a47395dd7bb893a24507e59
Infos:

Detection

Score:7
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5252 cmdline: C:\Users\user\Desktop\cmd.exe MD5: CB6CD09F6A25744A8FA6E4B3E4D260C5)
    • conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: cmd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: cmd.pdbUGP source: cmd.exe
Source: Binary string: cmd.pdb source: cmd.exe
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,0_2_00007FF6D9FE2978
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FF7B4C FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF6D9FF7B4C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,0_2_00007FF6D9FD1560
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,0_2_00007FF6D9FD35B8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,0_2_00007FF6D9FE823C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,0_2_00007FF6D9FE88C0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE898C NtQueryInformationToken,0_2_00007FF6D9FE898C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE89E4 NtQueryInformationToken,NtQueryInformationToken,0_2_00007FF6D9FE89E4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,0_2_00007FF6D9FE7FF8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,0_2_00007FF6D9FFBCF0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,0_2_00007FF6D9FE8114
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6DA001538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,0_2_00007FF6DA001538
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,0_2_00007FF6D9FD3D94
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,0_2_00007FF6D9FD5240
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,0_2_00007FF6D9FE4224
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE37D80_2_00007FF6D9FE37D8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD34100_2_00007FF6D9FD3410
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE55540_2_00007FF6D9FE5554
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDAA540_2_00007FF6D9FDAA54
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FF7F000_2_00007FF6D9FF7F00
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD9B500_2_00007FF6D9FD9B50
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD5B700_2_00007FF6D9FD5B70
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD3F900_2_00007FF6D9FD3F90
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFAFBC0_2_00007FF6D9FFAFBC
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD6BE00_2_00007FF6D9FD6BE0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE78540_2_00007FF6D9FE7854
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFAC4C0_2_00007FF6D9FFAC4C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD2C480_2_00007FF6D9FD2C48
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD18840_2_00007FF6D9FD1884
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE18D40_2_00007FF6D9FE18D4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDB0D80_2_00007FF6D9FDB0D8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD85100_2_00007FF6D9FD8510
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD7D300_2_00007FF6D9FD7D30
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6DA0015380_2_00007FF6DA001538
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD81D40_2_00007FF6D9FD81D4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFD9D00_2_00007FF6D9FFD9D0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD8DF80_2_00007FF6D9FD8DF8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDCE100_2_00007FF6D9FDCE10
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE42240_2_00007FF6D9FE4224
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD22200_2_00007FF6D9FD2220
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFAA300_2_00007FF6D9FFAA30
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD4A300_2_00007FF6D9FD4A30
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD52400_2_00007FF6D9FD5240
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD76500_2_00007FF6D9FD7650
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDD2500_2_00007FF6D9FDD250
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD9E500_2_00007FF6D9FD9E50
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE0A6C0_2_00007FF6D9FE0A6C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDE6800_2_00007FF6D9FDE680
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFEE880_2_00007FF6D9FFEE88
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD6EE40_2_00007FF6D9FD6EE4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD372C0_2_00007FF6D9FD372C
Source: cmd.exeBinary or memory string: OriginalFilename vs cmd.exe
Source: C:\Users\user\Desktop\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Users\user\Desktop\cmd.exeSection loaded: wldp.dllJump to behavior
Source: classification engineClassification label: clean7.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,0_2_00007FF6D9FD32B0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FFFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,0_2_00007FF6D9FFFB54
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: cmd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cmd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cmd.exe C:\Users\user\Desktop\cmd.exe
Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: cmd.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cmd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cmd.pdbUGP source: cmd.exe
Source: Binary string: cmd.pdb source: cmd.exe
Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: cmd.exeStatic PE information: 0xD7EE190D [Wed Oct 18 11:03:41 2084 UTC]
Source: cmd.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\cmd.exeAPI coverage: 9.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,0_2_00007FF6D9FE2978
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FF7B4C FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF6D9FF7B4C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,0_2_00007FF6D9FD1560
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,0_2_00007FF6D9FD35B8
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,0_2_00007FF6D9FE823C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE8B00 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,0_2_00007FF6D9FE8B00
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FF63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF6D9FF63FC
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FDDF60 GetProcessHeap,RtlFreeHeap,_setjmp,longjmp,VirtualFree,0_2_00007FF6D9FDDF60
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6D9FE8FA4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE93B0 SetUnhandledExceptionFilter,0_2_00007FF6D9FE93B0
Source: C:\Users\user\Desktop\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,0_2_00007FF6D9FE51EC
Source: C:\Users\user\Desktop\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,0_2_00007FF6D9FE3140
Source: C:\Users\user\Desktop\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,0_2_00007FF6D9FD6EE4
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FE3140 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,0_2_00007FF6D9FE3140
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF6D9FD586C GetVersion,0_2_00007FF6D9FD586C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		Windows Management Instrumentation1
Valid Accounts		1
Valid Accounts		1
Valid Accounts		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Timestomp		NTDS14
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1385352 Sample: cmd.exe Startdate: 02/02/2024 Architecture: WINDOWS Score: 7 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cmd.exe0%ReversingLabs
cmd.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:39.0.0 Ruby
Analysis ID:1385352
Start date and time:2024-02-02 05:06:57 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:cmd.exe
Detection:CLEAN
Classification:clean7.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 38
  • Number of non-executed functions: 148
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):6.135596419282984
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:cmd.exe
File size:289'792 bytes
MD5:cb6cd09f6a25744a8fa6e4b3e4d260c5
SHA1:e9be2f86e3a3bff02d1953aeccf0ed22284596d4
SHA256:265b69033cea7a9f8214a34cd9b17912909af46c7a47395dd7bb893a24507e59
SHA512:d978934298ef3c2b6da441afa146364f1a9f0d7e4a10a5aa8541a17c5b13202d95d47cc9e77140cea9eb059793caa9161200fdd86533dfaa2246c92e27c6bbdb
SSDEEP:6144:s4WA1B9BxDfQWKORSqY4zOcmpdlc3gLotdlSm:P1BhkWvSqY4zvmjOwck
TLSH:3A54291D23991CE5D927923D9903C226C6727C346321A6EF22D0CD7B6F63AE97A34F05
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V....&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d..........

File Icon

Icon Hash:a43a7ac70101a5a0

Static PE Info

General

Entrypoint:0x140018f50
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xD7EE190D [Wed Oct 18 11:03:41 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:272245e2988e1e430500b852c4fb5e18

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FAF2102C550h
dec eax
add esp, 28h
jmp 00007FAF2102BD43h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00024171h]
jne 00007FAF2102BF32h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FAF2102BF23h
ret
dec eax
ror ecx, 10h
jmp 00007FAF2102BF67h
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0001A633h]
dec eax
mov ecx, ebx
call dword ptr [0001A612h]
call dword ptr [0001A944h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0001A920h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [000242CDh]
call dword ptr [0001ADC7h]
dec eax
mov eax, dword ptr [000243B8h]
dec eax
mov dword ptr [esp+48h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+50h]
dec eax
mov ecx, dword ptr [esp+48h]
call dword ptr [0001ADA0h]

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3a0280x2f8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x84f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000x2334.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000x30c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x35a600x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x32c100x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x334d00x9a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x39d200x80.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x30ef90x3100025a5d44020db4754910ab6e396c9a718False0.5605070153061225data6.309578650753951IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x320000xa53c0xa60023613b8ef679b342307b8738c949053fFalse0.3739646084337349data4.9231968161506465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3d0000x1bc500x2001cf8515124a1a34c1675f83df3970743False0.38671875data3.17983043542025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x590000x23340x24002b671e140419d52024fd880b0050fd61False0.5021701388888888data5.489299855036303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x5c0000x900x2008963233f6e4d70f6f240ab50ce9621cfFalse0.119140625data1.0346602658536108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x5d0000x84f80x8600beff4d2ce9292f4b64971d20b49d7d2bFalse0.28270755597014924data4.359907321995828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x660000x30c0x4001bdbe7e1ecefe0f26fe1ab14787f890cFalse0.546875data4.67734346646031IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x654200xd8dataEnglishUnited States0.5185185185185185
RT_ICON0x5d7780x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.21097560975609755
RT_ICON0x5dde00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.2647849462365591
RT_ICON0x5e0c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.3783783783783784
RT_ICON0x5e1f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.11567164179104478
RT_ICON0x5f0980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.18592057761732853
RT_ICON0x5f9400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.08236994219653179
RT_ICON0x5fea80x169ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.968048359240069
RT_ICON0x615480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.06130705394190871
RT_ICON0x63af00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1177298311444653
RT_ICON0x64b980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.09308510638297872
RT_GROUP_ICON0x650000x92dataEnglishUnited States0.636986301369863
RT_VERSION0x650980x388dataEnglishUnited States0.4657079646017699
RT_MANIFEST0x5d3500x428XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.43609022556390975

Imports

DLLImport
msvcrt.dll_setmode, exit, iswxdigit, time, srand, _wtol, fflush, wcsstr, iswalpha, wcstoul, _errno, printf, rand, fprintf, wcsncmp, _pipe, _commode, _lock, wcsrchr, realloc, towlower, _initterm, __setusermatherr, setlocale, _wcsupr, iswdigit, _ultoa, _cexit, _unlock, _exit, __dllonexit, _wcsicmp, iswspace, wcschr, fgets, ??_V@YAXPEAX@Z, _pclose, ferror, _onexit, __CxxFrameHandler3, _open_osfhandle, _close, feof, _dup, _wpopen, _wcsnicmp, ?terminate@@YAXXZ, memset, wcstol, _get_osfhandle, _dup2, _getch, towupper, memcmp, _setjmp, wcsspn, _fmode, qsort, __set_app_type, _tell, _wcslwr, longjmp, _local_unwind, _purecall, __C_specific_handler, ??3@YAXPEAX@Z, memcpy_s, free, calloc, __getmainargs, _XcptFilter, _amsg_exit, ??1type_info@@UEAA@XZ, memmove, memcpy, _CxxThrowException, _vsnwprintf, swscanf, __iob_func, malloc, _callnewh, ??0exception@@QEAA@AEBQEBD@Z, ??0exception@@QEAA@AEBQEBDH@Z, ??0exception@@QEAA@AEBV0@@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, wcscmp
ntdll.dllRtlLookupFunctionEntry, RtlCaptureContext, NtOpenProcessToken, NtQueryInformationToken, NtClose, NtOpenThreadToken, RtlFreeHeap, NtFsControlFile, RtlDosPathNameToNtPathName_U, RtlVirtualUnwind, RtlFreeUnicodeString, RtlReleaseRelativeName, NtOpenFile, RtlDosPathNameToRelativeNtPathName_U_WithStatus, NtSetInformationFile, NtQueryVolumeInformationFile, NtSetInformationProcess, NtQueryInformationProcess, RtlNtStatusToDosError, NtCancelSynchronousIoFile, RtlCreateUnicodeStringFromAsciiz, RtlFindLeastSignificantBit
api-ms-win-core-kernel32-legacy-l1-1-0.dllCopyFileW, GetConsoleWindow
api-ms-win-core-libraryloader-l1-2-0.dllGetModuleHandleW, GetModuleFileNameA, LoadLibraryExW, GetProcAddress, GetModuleFileNameW, GetModuleHandleExW
api-ms-win-core-synch-l1-1-0.dllCreateSemaphoreExW, InitializeCriticalSection, WaitForSingleObject, ReleaseSemaphore, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, ReleaseMutex, ReleaseSRWLockShared, AcquireSRWLockShared, LeaveCriticalSection, CreateMutexExW, EnterCriticalSection, ReleaseSRWLockExclusive, OpenSemaphoreW
api-ms-win-core-heap-l1-1-0.dllHeapFree, HeapAlloc, GetProcessHeap, HeapSetInformation, HeapReAlloc, HeapSize
api-ms-win-core-errorhandling-l1-1-0.dllSetLastError, UnhandledExceptionFilter, GetLastError, SetErrorMode, SetUnhandledExceptionFilter
api-ms-win-core-processthreads-l1-1-0.dllInitializeProcThreadAttributeList, GetCurrentThreadId, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetStartupInfoW, CreateProcessAsUserW, OpenThread, CreateProcessW, ResumeThread, TerminateProcess, GetExitCodeProcess, GetCurrentProcess, GetCurrentProcessId
api-ms-win-core-localization-l1-2-0.dllGetThreadLocale, SetThreadLocale, FormatMessageW, GetLocaleInfoW, GetCPInfo, GetACP, GetUserDefaultLCID
api-ms-win-core-debug-l1-1-0.dllOutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-handle-l1-1-0.dllDuplicateHandle, CloseHandle
api-ms-win-core-memory-l1-1-0.dllVirtualAlloc, VirtualQuery, VirtualFree, ReadProcessMemory
api-ms-win-core-console-l1-1-0.dllReadConsoleW, SetConsoleCtrlHandler, SetConsoleMode, WriteConsoleW, GetConsoleMode, GetConsoleOutputCP
api-ms-win-core-file-l1-1-0.dllCreateFileW, FlushFileBuffers, GetFileAttributesExW, GetDriveTypeW, FindClose, FindNextFileW, CreateDirectoryW, GetVolumeInformationW, SetFileAttributesW, SetEndOfFile, SetFilePointerEx, WriteFile, DeleteFileW, SetFileTime, GetVolumePathNameW, SetFilePointer, ReadFile, GetFileAttributesW, GetFileType, RemoveDirectoryW, FindFirstFileExW, CompareFileTime, GetFullPathNameW, GetDiskFreeSpaceExW, FileTimeToLocalFileTime, GetFileSize, FindFirstFileW
api-ms-win-core-string-l1-1-0.dllWideCharToMultiByte, MultiByteToWideChar
api-ms-win-core-processenvironment-l1-1-0.dllGetCommandLineW, GetEnvironmentStringsW, ExpandEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SearchPathW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetEnvironmentVariableW, SetEnvironmentStringsW, GetStdHandle
api-ms-win-core-console-l2-1-0.dllSetConsoleCursorPosition, GetConsoleScreenBufferInfo, ScrollConsoleScreenBufferW, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FlushConsoleInputBuffer, SetConsoleTextAttribute
api-ms-win-security-base-l1-1-0.dllGetFileSecurityW, RevertToSelf, GetSecurityDescriptorOwner
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTime, SetLocalTime, GetSystemTimeAsFileTime, GetTickCount, GetWindowsDirectoryW, GetLocalTime, GetVersion
api-ms-win-core-timezone-l1-1-0.dllSystemTimeToFileTime, FileTimeToSystemTime
api-ms-win-core-datetime-l1-1-0.dllGetDateFormatW, GetTimeFormatW
api-ms-win-core-systemtopology-l1-1-0.dllGetNumaNodeProcessorMaskEx, GetNumaHighestNodeNumber
api-ms-win-core-console-l2-2-0.dllSetConsoleTitleW, GetConsoleTitleW
api-ms-win-core-processenvironment-l1-2-0.dllNeedCurrentDirectoryForExePathW
api-ms-win-core-registry-l1-1-0.dllRegCloseKey, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegEnumKeyExW, RegDeleteKeyExW, RegDeleteValueW, RegQueryValueExW
api-ms-win-core-file-l2-1-0.dllMoveFileExW, CreateSymbolicLinkW, CreateHardLinkW, MoveFileWithProgressW, GetFileInformationByHandleEx
api-ms-win-core-heap-l2-1-0.dllGlobalAlloc, GlobalFree, LocalFree
api-ms-win-core-io-l1-1-0.dllDeviceIoControl
api-ms-win-core-winrt-l1-1-0.dllRoInitialize, RoUninitialize
api-ms-win-core-processtopology-l1-1-0.dllGetThreadGroupAffinity
api-ms-win-core-synch-l1-2-0.dllSleep
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-string-obsolete-l1-1-0.dlllstrcmpW, lstrcmpiW
api-ms-win-core-processtopology-obsolete-l1-1-0.dllSetProcessAffinityMask
api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:05:07:45
Start date:02/02/2024
Path:C:\Users\user\Desktop\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\cmd.exe
Imagebase:0x7ff6d9fd0000
File size:289'792 bytes
MD5 hash:CB6CD09F6A25744A8FA6E4B3E4D260C5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:05:07:45
Start date:02/02/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:33.5%
    Total number of Nodes:890
    Total number of Limit Nodes:19
    execution_graph 18425 7ff6d9fd9b50 18426 7ff6d9fdcd90 166 API calls 18425->18426 18427 7ff6d9fd9ba1 18426->18427 18428 7ff6d9fd9bc1 18427->18428 18429 7ff6d9fd9ce7 18427->18429 18458 7ff6d9feb99b 18427->18458 18432 7ff6d9fdaf74 170 API calls 18428->18432 18430 7ff6d9fdcd90 166 API calls 18429->18430 18431 7ff6d9fd9cf1 18430->18431 18433 7ff6d9fdcd90 166 API calls 18431->18433 18434 7ff6d9fd9bdc 18432->18434 18457 7ff6d9fd9c52 18433->18457 18435 7ff6d9fdaf74 170 API calls 18434->18435 18436 7ff6d9fd9bf9 18435->18436 18439 7ff6d9fd9c41 18436->18439 18440 7ff6d9fd9d1a 18436->18440 18436->18458 18437 7ff6d9fe8f80 7 API calls 18438 7ff6d9fd9c99 18437->18438 18442 7ff6d9fd9c45 18439->18442 18443 7ff6d9fd9cbb 18439->18443 18441 7ff6d9fdd3f0 223 API calls 18440->18441 18444 7ff6d9fd9d28 wcstol 18441->18444 18468 7ff6d9fd9e50 18442->18468 18445 7ff6d9fd9cc3 18443->18445 18465 7ff6d9fd9db2 18443->18465 18447 7ff6d9fd9d47 18444->18447 18448 7ff6d9fdd3f0 223 API calls 18445->18448 18447->18447 18450 7ff6d9fd9d51 wcstol 18447->18450 18451 7ff6d9fd9cd1 18448->18451 18449 7ff6d9fe1ea0 8 API calls 18452 7ff6d9feb8cc GetFullPathNameW 18449->18452 18453 7ff6d9fd9d7a 18450->18453 18530 7ff6d9fd81d4 18451->18530 18452->18465 18453->18453 18459 7ff6d9fd9d84 wcstol 18453->18459 18455 7ff6d9fdcd90 166 API calls 18455->18465 18456 7ff6d9fd3278 166 API calls 18456->18465 18457->18437 18457->18458 18459->18465 18460 7ff6d9feb909 GetFullPathNameW 18460->18465 18462 7ff6d9fe33f0 _vsnwprintf 18462->18465 18463 7ff6d9fdd3f0 223 API calls 18463->18465 18465->18449 18465->18455 18465->18456 18465->18460 18465->18462 18465->18463 18567 7ff6d9fdaa14 18465->18567 18576 7ff6d9fda9ec 18465->18576 18580 7ff6d9ffe944 18465->18580 18588 7ff6d9ff7b4c 18465->18588 18469 7ff6d9fe2534 207 API calls 18468->18469 18478 7ff6d9fd9e9d 18469->18478 18470 7ff6d9fda5de 18471 7ff6d9fdd3f0 223 API calls 18470->18471 18472 7ff6d9fda5eb 18471->18472 18472->18457 18473 7ff6d9fda47b 18473->18457 18474 7ff6d9fd9f15 _wcsnicmp 18475 7ff6d9fd9f39 _wcsnicmp 18474->18475 18474->18478 18481 7ff6d9fd9f5e _wcsnicmp 18475->18481 18482 7ff6d9feb9bb 18475->18482 18476 7ff6d9fda64f CreateFileW 18483 7ff6d9fda689 SetFilePointer SetFilePointer 18476->18483 18505 7ff6d9febb33 18476->18505 18477 7ff6d9febae0 18485 7ff6d9ffe9b4 197 API calls 18477->18485 18478->18470 18478->18473 18478->18474 18478->18476 18478->18477 18479 7ff6d9fdb6b0 170 API calls 18478->18479 18480 7ff6d9fda579 memset 18478->18480 18489 7ff6d9feb9ef 18478->18489 18495 7ff6d9fda954 wcstol 18478->18495 18497 7ff6d9febac0 18478->18497 18498 7ff6d9feba4c EnterCriticalSection LeaveCriticalSection 18478->18498 18499 7ff6d9fda7a5 _wpopen 18478->18499 18500 7ff6d9fdff70 GetProcessHeap RtlFreeHeap 18478->18500 18503 7ff6d9febb5e CloseHandle 18478->18503 18504 7ff6d9fda6db ReadFile CloseHandle 18478->18504 18511 7ff6d9fe2534 207 API calls 18478->18511 18512 7ff6d9fda025 wcstol 18478->18512 18515 7ff6d9fda60f wcstol 18478->18515 18516 7ff6d9febb17 18478->18516 18521 7ff6d9fda739 MultiByteToWideChar 18478->18521 18522 7ff6d9fda2aa wcschr 18478->18522 18523 7ff6d9ffe944 393 API calls 18478->18523 18525 7ff6d9fda8db memmove 18478->18525 18526 7ff6d9fda31e wcschr 18478->18526 18527 7ff6d9fda361 wcschr 18478->18527 18528 7ff6d9fdaa14 214 API calls 18478->18528 18529 7ff6d9fda9ec 3 API calls 18478->18529 18610 7ff6d9ffee88 18478->18610 18479->18478 18480->18478 18481->18478 18486 7ff6d9fd9f83 _wcsnicmp 18481->18486 18492 7ff6d9fd3278 166 API calls 18482->18492 18488 7ff6d9fdcd90 166 API calls 18483->18488 18490 7ff6d9febae5 longjmp 18485->18490 18486->18478 18487 7ff6d9fd9fa8 _wcsnicmp 18486->18487 18487->18495 18496 7ff6d9fd9fd1 _wcsnicmp 18487->18496 18488->18478 18493 7ff6d9fd3278 166 API calls 18489->18493 18491 7ff6d9febafe _pclose 18490->18491 18491->18473 18492->18473 18501 7ff6d9feb9fb 18493->18501 18494 7ff6d9fd3278 166 API calls 18502 7ff6d9febb4c GetLastError 18494->18502 18495->18478 18495->18482 18496->18478 18496->18482 18497->18477 18646 7ff6d9fd96b4 18497->18646 18498->18478 18499->18505 18506 7ff6d9fda7e0 feof 18499->18506 18500->18478 18508 7ff6d9ffe91c 198 API calls 18501->18508 18502->18473 18503->18473 18504->18478 18505->18494 18509 7ff6d9fda7ff ferror 18506->18509 18510 7ff6d9fda890 _pclose 18506->18510 18508->18473 18509->18510 18518 7ff6d9fda812 18509->18518 18513 7ff6d9fdaf74 170 API calls 18510->18513 18511->18478 18512->18478 18512->18482 18513->18478 18514 7ff6d9fda843 fgets 18514->18510 18514->18518 18515->18478 18515->18482 18519 7ff6d9fd3278 166 API calls 18516->18519 18517 7ff6d9fdcd90 166 API calls 18517->18518 18518->18491 18518->18514 18518->18517 18518->18518 18520 7ff6d9fdaf74 170 API calls 18518->18520 18524 7ff6d9fda879 feof 18518->18524 18519->18473 18520->18518 18521->18478 18522->18478 18523->18478 18524->18509 18524->18510 18525->18478 18526->18478 18527->18478 18528->18478 18529->18478 18533 7ff6d9fd82e7 18530->18533 18534 7ff6d9fd822d 18530->18534 18531 7ff6d9fe8f80 7 API calls 18532 7ff6d9fd82fa 18531->18532 18532->18457 18533->18531 18534->18533 18536 7ff6d9fd8266 wcschr 18534->18536 18543 7ff6d9fdaa14 214 API calls 18534->18543 18546 7ff6d9fda9ec 3 API calls 18534->18546 18562 7ff6d9fd83c6 18534->18562 18535 7ff6d9feb1f7 18537 7ff6d9ffe9b4 197 API calls 18535->18537 18538 7ff6d9fd8283 wcschr 18536->18538 18539 7ff6d9fd830f 18536->18539 18540 7ff6d9feb21b longjmp 18537->18540 18538->18534 18538->18539 18542 7ff6d9fe1ea0 8 API calls 18539->18542 18540->18533 18541 7ff6d9feb1d5 18541->18535 18547 7ff6d9fd96b4 186 API calls 18541->18547 18544 7ff6d9fd8317 18542->18544 18543->18534 18545 7ff6d9fdb900 166 API calls 18544->18545 18548 7ff6d9fd831f 18545->18548 18546->18534 18547->18541 18549 7ff6d9fe823c 10 API calls 18548->18549 18550 7ff6d9fd8364 18549->18550 18551 7ff6d9fd8b20 231 API calls 18550->18551 18550->18562 18555 7ff6d9fd8378 18551->18555 18552 7ff6d9fdff70 2 API calls 18552->18562 18553 7ff6d9fdcd90 166 API calls 18553->18562 18554 7ff6d9ffe91c 198 API calls 18554->18562 18556 7ff6d9fdcd90 166 API calls 18555->18556 18555->18562 18556->18562 18557 7ff6d9ffee88 390 API calls 18557->18562 18558 7ff6d9fe8a70 2 API calls 18558->18562 18559 7ff6d9feb1f9 18559->18535 18563 7ff6d9fd96b4 186 API calls 18559->18563 18560 7ff6d9fe58e4 EnterCriticalSection LeaveCriticalSection 18560->18562 18561 7ff6d9fda9ec 3 API calls 18561->18562 18562->18535 18562->18541 18562->18552 18562->18553 18562->18554 18562->18557 18562->18558 18562->18559 18562->18560 18562->18561 18564 7ff6d9fe3a0c 2 API calls 18562->18564 18565 7ff6d9fdaf74 170 API calls 18562->18565 18566 7ff6d9fdaa14 214 API calls 18562->18566 18563->18559 18564->18562 18565->18562 18566->18562 18666 7ff6d9fe1460 18567->18666 18571 7ff6d9febb8f 18720 7ff6d9ff778c 18571->18720 18574 7ff6d9fe3448 166 API calls 18575 7ff6d9fdaa33 18574->18575 18575->18465 18577 7ff6d9fda9fd 18576->18577 18578 7ff6d9fda9f8 18576->18578 18577->18465 18882 7ff6d9fe2d70 18578->18882 18581 7ff6d9ffe954 18580->18581 18582 7ff6d9ffe990 18580->18582 18584 7ff6d9ffee88 390 API calls 18581->18584 18583 7ff6d9ffe9b4 197 API calls 18582->18583 18585 7ff6d9ffe995 longjmp 18583->18585 18586 7ff6d9ffe964 18584->18586 18586->18582 18587 7ff6d9fd96b4 186 API calls 18586->18587 18587->18586 18592 7ff6d9ff7b94 18588->18592 18589 7ff6d9ff7ec4 18590 7ff6d9fe8f80 7 API calls 18589->18590 18591 7ff6d9ff7ee2 18590->18591 18591->18465 18592->18589 18593 7ff6d9fdcd90 166 API calls 18592->18593 18598 7ff6d9ff7bea 18593->18598 18594 7ff6d9fd81d4 443 API calls 18595 7ff6d9ff7c7b 18594->18595 18596 7ff6d9fdff70 2 API calls 18595->18596 18597 7ff6d9ff7c86 18596->18597 18599 7ff6d9fdcd90 166 API calls 18597->18599 18598->18589 18598->18594 18600 7ff6d9ff7c9f 18599->18600 18600->18589 18601 7ff6d9ff7cda FindFirstFileW 18600->18601 18602 7ff6d9ff7ebc 18601->18602 18606 7ff6d9ff7d01 18601->18606 18603 7ff6d9fdff70 2 API calls 18602->18603 18603->18589 18604 7ff6d9ff7e8a FindNextFileW 18605 7ff6d9ff7ead FindClose 18604->18605 18604->18606 18605->18602 18606->18604 18607 7ff6d9fdb6b0 170 API calls 18606->18607 18608 7ff6d9ff7ea7 18606->18608 18609 7ff6d9ff7b4c 443 API calls 18606->18609 18607->18606 18608->18605 18609->18606 18611 7ff6d9ffeed1 18610->18611 18612 7ff6d9ffeefd 18610->18612 18651 7ff6d9fd7420 18611->18651 18665 7ff6d9fe885c FormatMessageW 18612->18665 18616 7ff6d9fe01b8 6 API calls 18617 7ff6d9ffeee5 18616->18617 18619 7ff6d9ffeeeb 18617->18619 18620 7ff6d9ffeef8 18617->18620 18618 7ff6d9ffef04 18621 7ff6d9ffef41 LocalFree GetStdHandle GetConsoleMode 18618->18621 18624 7ff6d9ffef2f _wcsupr 18618->18624 18622 7ff6d9fdd208 _close 18619->18622 18623 7ff6d9fdd208 _close 18620->18623 18626 7ff6d9ffefcf SetConsoleMode 18621->18626 18627 7ff6d9ffefe8 GetStdHandle GetConsoleMode 18621->18627 18643 7ff6d9ffeef0 18622->18643 18623->18612 18624->18621 18626->18627 18629 7ff6d9fff015 SetConsoleMode 18627->18629 18636 7ff6d9fff03c 18627->18636 18628 7ff6d9fe8f80 7 API calls 18630 7ff6d9fff1b8 18628->18630 18629->18636 18630->18478 18631 7ff6d9fd3240 166 API calls 18631->18636 18632 7ff6d9fff07e GetStdHandle FlushConsoleInputBuffer 18632->18636 18633 7ff6d9fff0a0 GetStdHandle 18635 7ff6d9ff8450 367 API calls 18633->18635 18634 7ff6d9fff12d wcschr 18634->18636 18635->18636 18636->18631 18636->18632 18636->18633 18636->18634 18637 7ff6d9fff161 18636->18637 18640 7ff6d9fe3448 166 API calls 18636->18640 18642 7ff6d9fff0d7 towupper 18636->18642 18644 7ff6d9fe01b8 6 API calls 18636->18644 18645 7ff6d9fe3448 166 API calls 18636->18645 18638 7ff6d9fff17a 18637->18638 18639 7ff6d9fff166 SetConsoleMode 18637->18639 18641 7ff6d9fff17f SetConsoleMode 18638->18641 18638->18643 18639->18638 18640->18634 18641->18643 18642->18636 18643->18628 18644->18636 18645->18636 18647 7ff6d9feb6e2 RevertToSelf CloseHandle 18646->18647 18648 7ff6d9fd96c8 18646->18648 18649 7ff6d9fd96ce 18648->18649 18650 7ff6d9fd6a48 184 API calls 18648->18650 18649->18497 18650->18648 18652 7ff6d9fd745f 18651->18652 18653 7ff6d9fd7468 18651->18653 18652->18653 18654 7ff6d9ff48c8 _wcsicmp 18652->18654 18655 7ff6d9fd7497 _wcsicmp 18652->18655 18653->18612 18653->18616 18658 7ff6d9ff48ed CreateFileW 18654->18658 18656 7ff6d9fe1ea0 8 API calls 18655->18656 18657 7ff6d9fd74bd 18656->18657 18657->18658 18659 7ff6d9fd74c9 CreateFileW 18657->18659 18658->18659 18660 7ff6d9ff4929 18658->18660 18661 7ff6d9ff4943 GetLastError 18659->18661 18662 7ff6d9fd7501 _open_osfhandle 18659->18662 18660->18662 18661->18653 18662->18653 18663 7ff6d9fd7520 CloseHandle 18662->18663 18663->18653 18665->18618 18678 7ff6d9fe1480 18666->18678 18668 7ff6d9fe1521 18670 7ff6d9fe1460 204 API calls 18668->18670 18671 7ff6d9fe152c 18670->18671 18675 7ff6d9fe1460 204 API calls 18671->18675 18681 7ff6d9fdaa22 18671->18681 18672 7ff6d9fe14aa 18672->18681 18751 7ff6d9fe1630 18672->18751 18673 7ff6d9fe1630 204 API calls 18676 7ff6d9fe14f1 18673->18676 18674 7ff6d9fe1460 204 API calls 18674->18678 18677 7ff6d9fe153f 18675->18677 18679 7ff6d9fe1630 204 API calls 18676->18679 18676->18681 18680 7ff6d9fe1630 204 API calls 18677->18680 18677->18681 18678->18668 18678->18672 18678->18674 18678->18681 18679->18676 18680->18677 18681->18575 18682 7ff6d9ffbfec 18681->18682 18683 7ff6d9ffc047 18682->18683 18684 7ff6d9ffc036 18682->18684 18685 7ff6d9ffc6db 18683->18685 18687 7ff6d9ffc067 18683->18687 18690 7ff6d9fe3448 166 API calls 18683->18690 18686 7ff6d9fd3240 166 API calls 18684->18686 18688 7ff6d9fe8f80 7 API calls 18685->18688 18689 7ff6d9ffc042 18686->18689 18693 7ff6d9fe081c 166 API calls 18687->18693 18695 7ff6d9ffc070 18687->18695 18691 7ff6d9ffc6eb 18688->18691 18860 7ff6d9fe58e4 EnterCriticalSection LeaveCriticalSection 18689->18860 18690->18687 18691->18571 18693->18695 18694 7ff6d9fe417c 166 API calls 18696 7ff6d9ffc0d1 18694->18696 18695->18694 18856 7ff6d9ffbf84 18696->18856 18699 7ff6d9ffc673 18700 7ff6d9fe33f0 _vsnwprintf 18699->18700 18701 7ff6d9ffc696 18700->18701 18701->18701 18703 7ff6d9fe34a0 166 API calls 18701->18703 18702 7ff6d9ffc1c5 towupper 18711 7ff6d9ffc11a 18702->18711 18704 7ff6d9ffc6ce 18703->18704 18704->18685 18867 7ff6d9fe58e4 EnterCriticalSection LeaveCriticalSection 18704->18867 18705 7ff6d9fe33f0 _vsnwprintf 18705->18711 18706 7ff6d9fe3140 166 API calls 18706->18711 18708 7ff6d9fd6ee4 166 API calls 18715 7ff6d9ffc331 18708->18715 18711->18701 18711->18702 18711->18705 18712 7ff6d9ffc2db GetDriveTypeW 18711->18712 18713 7ff6d9fe33f0 _vsnwprintf 18711->18713 18711->18715 18861 7ff6d9fd586c GetVersion 18711->18861 18866 7ff6d9fe885c FormatMessageW 18711->18866 18712->18711 18712->18715 18714 7ff6d9ffc5c8 LocalFree 18713->18714 18714->18711 18715->18706 18715->18708 18715->18711 18716 7ff6d9ffc3ab 18715->18716 18717 7ff6d9fe33f0 _vsnwprintf 18715->18717 18718 7ff6d9fe33f0 _vsnwprintf 18716->18718 18717->18715 18719 7ff6d9ffc3bd 18718->18719 18719->18571 18721 7ff6d9ff77bc 18720->18721 18722 7ff6d9ff7989 18721->18722 18723 7ff6d9ff7aca 18721->18723 18724 7ff6d9ff79c0 18721->18724 18727 7ff6d9ff7ab5 18721->18727 18729 7ff6d9ff7984 18721->18729 18732 7ff6d9ff7a00 18721->18732 18743 7ff6d9febb99 18721->18743 18746 7ff6d9fe3448 166 API calls 18721->18746 18748 7ff6d9ff778c 166 API calls 18721->18748 18722->18743 18875 7ff6d9ff76e0 18722->18875 18726 7ff6d9fe34a0 166 API calls 18723->18726 18730 7ff6d9fe34a0 166 API calls 18724->18730 18728 7ff6d9ff7adb 18726->18728 18731 7ff6d9fe3448 166 API calls 18727->18731 18733 7ff6d9fe3448 166 API calls 18728->18733 18737 7ff6d9ff7af0 18728->18737 18729->18722 18729->18724 18735 7ff6d9ff79d6 18730->18735 18731->18743 18738 7ff6d9ff7a0b 18732->18738 18732->18743 18749 7ff6d9ff7a33 18732->18749 18733->18737 18734 7ff6d9ff778c 166 API calls 18739 7ff6d9ff7afb 18734->18739 18736 7ff6d9ff79e7 18735->18736 18740 7ff6d9fe3448 166 API calls 18735->18740 18871 7ff6d9ff7730 18736->18871 18737->18734 18738->18743 18744 7ff6d9fe34a0 166 API calls 18738->18744 18739->18722 18745 7ff6d9fe3448 166 API calls 18739->18745 18740->18736 18742 7ff6d9fe3448 166 API calls 18742->18743 18743->18574 18747 7ff6d9ff7a23 18744->18747 18745->18722 18746->18721 18750 7ff6d9ff778c 166 API calls 18747->18750 18748->18721 18749->18742 18750->18736 18752 7ff6d9fe165b 18751->18752 18754 7ff6d9fe14d6 18751->18754 18753 7ff6d9fe1670 GetProcessHeap HeapAlloc 18752->18753 18752->18754 18755 7ff6d9fedbc5 18753->18755 18764 7ff6d9fe16a2 18753->18764 18754->18673 18754->18681 18756 7ff6d9fd3278 166 API calls 18755->18756 18756->18754 18757 7ff6d9fe1716 18757->18754 18758 7ff6d9fedbb1 18757->18758 18759 7ff6d9fe1757 GetProcessHeap HeapReAlloc 18757->18759 18760 7ff6d9fd3278 166 API calls 18758->18760 18759->18758 18761 7ff6d9fe1786 GetProcessHeap HeapSize 18759->18761 18760->18754 18761->18754 18763 7ff6d9fe188d wcsrchr 18763->18754 18763->18764 18764->18754 18764->18757 18764->18763 18765 7ff6d9fe18d4 18764->18765 18766 7ff6d9fe1935 18765->18766 18767 7ff6d9fe193b 18765->18767 18766->18767 18768 7ff6d9fe19a1 18766->18768 18769 7ff6d9fe195a 18767->18769 18770 7ff6d9fe1946 wcsrchr 18767->18770 18812 7ff6d9fedbda 18768->18812 18839 7ff6d9fe2e44 18768->18839 18771 7ff6d9fe8f80 7 API calls 18769->18771 18770->18769 18775 7ff6d9fe1978 18771->18775 18773 7ff6d9fedbdf longjmp 18774 7ff6d9fedbf3 ??_V@YAXPEAX 18773->18774 18776 7ff6d9fedbff ??_V@YAXPEAX 18774->18776 18775->18764 18776->18769 18777 7ff6d9fe1a21 18779 7ff6d9fedc3c wcschr 18777->18779 18780 7ff6d9fe1a3c wcsrchr 18777->18780 18789 7ff6d9fe1dfe 18777->18789 18778 7ff6d9fe19f3 towlower wcsrchr 18778->18777 18781 7ff6d9fe1af6 wcsrchr 18778->18781 18783 7ff6d9fedcd2 18779->18783 18784 7ff6d9fedc5d 18779->18784 18782 7ff6d9fe1a54 wcsrchr 18780->18782 18780->18789 18785 7ff6d9fe1b11 towlower 18781->18785 18781->18789 18782->18783 18786 7ff6d9fe1a71 18782->18786 18783->18776 18788 7ff6d9fd3278 166 API calls 18783->18788 18787 7ff6d9fdcd90 166 API calls 18784->18787 18785->18789 18792 7ff6d9fe19cf 18785->18792 18795 7ff6d9fdb900 166 API calls 18786->18795 18802 7ff6d9fe1a95 18786->18802 18798 7ff6d9fedc75 18787->18798 18791 7ff6d9fedcef longjmp 18788->18791 18789->18779 18789->18783 18790 7ff6d9fe1d74 18790->18769 18799 7ff6d9fe1d7d ??_V@YAXPEAX 18790->18799 18794 7ff6d9fedd03 18791->18794 18792->18777 18792->18778 18792->18789 18792->18812 18793 7ff6d9fedccd 18793->18776 18800 7ff6d9fedd3b 18794->18800 18801 7ff6d9fedd0c SearchPathW 18794->18801 18795->18802 18796 7ff6d9fe1b64 18796->18794 18805 7ff6d9fe1b76 GetFullPathNameW 18796->18805 18797 7ff6d9fe1acf 18803 7ff6d9fdb900 166 API calls 18797->18803 18798->18812 18844 7ff6d9fe3a90 18798->18844 18799->18769 18809 7ff6d9fedd5c wcsrchr 18800->18809 18801->18800 18802->18790 18802->18796 18802->18797 18802->18812 18806 7ff6d9fe1ad7 ??_V@YAXPEAX 18803->18806 18808 7ff6d9fe2978 13 API calls 18805->18808 18806->18769 18811 7ff6d9fe1ba7 wcsrchr 18808->18811 18814 7ff6d9fedd73 18809->18814 18810 7ff6d9fdff70 2 API calls 18810->18812 18811->18809 18813 7ff6d9fe1bc9 18811->18813 18812->18769 18812->18773 18812->18793 18813->18790 18815 7ff6d9fe1bda memset 18813->18815 18816 7ff6d9fedd78 longjmp 18814->18816 18818 7ff6d9fedd8c 18814->18818 18817 7ff6d9fdca40 17 API calls 18815->18817 18816->18818 18819 7ff6d9fe1c23 18817->18819 18818->18774 18818->18776 18819->18814 18820 7ff6d9fedda8 GetFileAttributesExW 18819->18820 18835 7ff6d9fe1c4f 18819->18835 18821 7ff6d9fedfd0 18820->18821 18824 7ff6d9feddc5 18820->18824 18821->18764 18822 7ff6d9fdb900 166 API calls 18825 7ff6d9fe1d52 18822->18825 18823 7ff6d9fe1d09 18823->18822 18828 7ff6d9fee035 18823->18828 18826 7ff6d9fedf34 18824->18826 18830 7ff6d9ff85d0 8 API calls 18824->18830 18825->18790 18829 7ff6d9fe1d68 ??_V@YAXPEAX 18825->18829 18827 7ff6d9fedf4d 18826->18827 18826->18835 18832 7ff6da0008ec 9 API calls 18827->18832 18829->18790 18831 7ff6d9fede3f 18830->18831 18834 7ff6d9fd6ee4 166 API calls 18831->18834 18832->18821 18833 7ff6d9fe1cd8 wcsrchr 18833->18828 18836 7ff6d9fe1cf5 18833->18836 18837 7ff6d9fedeb6 18834->18837 18835->18789 18835->18823 18835->18833 18836->18789 18836->18823 18838 7ff6d9fe3140 166 API calls 18837->18838 18838->18826 18840 7ff6d9fe9324 malloc 18839->18840 18841 7ff6d9fe2e7b 18840->18841 18842 7ff6d9fe2e83 memset 18841->18842 18843 7ff6d9fe2e90 18841->18843 18842->18843 18843->18792 18845 7ff6d9fe3aa4 18844->18845 18846 7ff6d9fe3b73 18844->18846 18845->18846 18847 7ff6d9fe09f4 2 API calls 18845->18847 18846->18810 18848 7ff6d9fe3ac8 18847->18848 18849 7ff6d9fdb900 166 API calls 18848->18849 18850 7ff6d9fe3ad0 18849->18850 18851 7ff6d9fe3ad8 wcsrchr 18850->18851 18852 7ff6d9fe3af4 18850->18852 18851->18852 18852->18852 18854 7ff6d9fe3b2d _wcsnicmp 18852->18854 18855 7ff6d9fe3b66 18852->18855 18853 7ff6d9fdff70 2 API calls 18853->18846 18854->18852 18855->18853 18857 7ff6d9ffbfb5 18856->18857 18858 7ff6d9ffbf99 18856->18858 18857->18685 18857->18699 18857->18711 18859 7ff6d9fe9324 malloc 18858->18859 18859->18857 18868 7ff6d9fd58d4 RegOpenKeyExW 18861->18868 18864 7ff6d9fe33f0 _vsnwprintf 18865 7ff6d9fd58c2 18864->18865 18865->18711 18866->18711 18869 7ff6d9fd5913 RegQueryValueExW RegCloseKey 18868->18869 18870 7ff6d9fd588c 18868->18870 18869->18870 18870->18864 18873 7ff6d9ff773c 18871->18873 18872 7ff6d9ff777d 18872->18743 18873->18872 18874 7ff6d9fe3448 166 API calls 18873->18874 18874->18873 18876 7ff6d9ff778c 166 API calls 18875->18876 18877 7ff6d9ff76fb 18876->18877 18878 7ff6d9ff771c 18877->18878 18879 7ff6d9fe3448 166 API calls 18877->18879 18878->18743 18880 7ff6d9ff7711 18879->18880 18881 7ff6d9ff778c 166 API calls 18880->18881 18881->18878 18883 7ff6d9fe2da3 18882->18883 18884 7ff6d9fe2d89 18882->18884 18883->18884 18886 7ff6d9fe2dbc GetProcessHeap RtlFreeHeap 18883->18886 18887 7ff6d9fe2d9c 18884->18887 18888 7ff6d9fe2e0c 18884->18888 18886->18883 18886->18884 18887->18577 18889 7ff6d9fe2e11 18888->18889 18890 7ff6d9fe2e32 18888->18890 18889->18890 18891 7ff6d9fee494 VirtualFree 18889->18891 18890->18884 19126 7ff6d9fdd360 19127 7ff6d9fded90 19126->19127 19128 7ff6d9fdee74 19127->19128 19149 7ff6d9fdef40 19127->19149 19130 7ff6d9fdedf8 19131 7ff6d9fed0a2 longjmp 19130->19131 19132 7ff6d9fed0c5 19130->19132 19135 7ff6d9fdee68 19130->19135 19143 7ff6d9fdeeb1 19130->19143 19131->19132 19133 7ff6d9fe3448 166 API calls 19132->19133 19134 7ff6d9fed0d4 19133->19134 19137 7ff6d9fdef40 472 API calls 19135->19137 19136 7ff6d9fdeece 19136->19128 19138 7ff6d9fdcd90 166 API calls 19136->19138 19137->19128 19139 7ff6d9fdeee7 19138->19139 19141 7ff6d9fdeeef 19139->19141 19142 7ff6d9fdef31 19139->19142 19144 7ff6d9fde600 473 API calls 19141->19144 19145 7ff6d9ffe91c 198 API calls 19142->19145 19143->19136 19146 7ff6d9fdeec2 19143->19146 19193 7ff6d9fde600 19143->19193 19144->19128 19147 7ff6d9fdef36 19145->19147 19148 7ff6d9fdef40 472 API calls 19146->19148 19147->19131 19148->19136 19150 7ff6d9fdef71 19149->19150 19151 7ff6d9fed1f3 19150->19151 19152 7ff6d9fdf130 19150->19152 19160 7ff6d9fdef87 19150->19160 19151->19130 19153 7ff6d9fe3448 166 API calls 19152->19153 19180 7ff6d9fdf10e 19152->19180 19192 7ff6d9fdf046 19153->19192 19154 7ff6d9fdf433 19202 7ff6d9fdf8c0 EnterCriticalSection LeaveCriticalSection 19154->19202 19155 7ff6d9fdf438 19155->19192 19259 7ff6d9fdf860 19155->19259 19157 7ff6d9fdf8c0 456 API calls 19157->19192 19158 7ff6d9fdeff2 iswspace 19159 7ff6d9fdf01f wcschr 19158->19159 19158->19160 19159->19192 19160->19151 19160->19154 19160->19155 19160->19158 19160->19159 19160->19192 19162 7ff6d9fdf558 iswspace 19165 7ff6d9fdf6cd wcschr 19162->19165 19162->19192 19163 7ff6d9fdf0c4 iswdigit 19164 7ff6d9fdf5aa 19163->19164 19173 7ff6d9fdf0ea 19163->19173 19168 7ff6d9fdf860 456 API calls 19164->19168 19165->19192 19166 7ff6d9fdf860 456 API calls 19166->19192 19167 7ff6d9fdf471 19169 7ff6d9fdf860 456 API calls 19167->19169 19178 7ff6d9fdf4af 19168->19178 19169->19173 19170 7ff6d9fdf1fc iswdigit 19170->19192 19171 7ff6d9fdf1b7 iswspace 19171->19163 19172 7ff6d9fdf1ce wcschr 19171->19172 19172->19163 19172->19170 19174 7ff6d9fdf860 456 API calls 19173->19174 19173->19180 19176 7ff6d9fdf4a6 19174->19176 19175 7ff6d9fdf370 19177 7ff6d9fd3278 166 API calls 19175->19177 19175->19180 19176->19178 19181 7ff6d9fdf860 456 API calls 19176->19181 19177->19151 19179 7ff6d9fdf860 456 API calls 19178->19179 19178->19180 19182 7ff6d9fdf632 iswspace 19179->19182 19180->19130 19181->19178 19182->19178 19183 7ff6d9fdf648 wcschr 19182->19183 19183->19178 19185 7ff6d9fdf65f iswdigit 19183->19185 19184 7ff6d9fdf32f iswspace 19184->19175 19187 7ff6d9fdf342 wcschr 19184->19187 19185->19180 19188 7ff6d9fdf67b 19185->19188 19186 7ff6d9fdf2b8 iswdigit 19186->19192 19187->19175 19187->19186 19189 7ff6d9fdf860 456 API calls 19188->19189 19189->19180 19190 7ff6d9fdf3d2 iswspace 19191 7ff6d9fdf3e9 wcschr 19190->19191 19190->19192 19191->19192 19192->19157 19192->19162 19192->19163 19192->19164 19192->19166 19192->19167 19192->19170 19192->19171 19192->19173 19192->19175 19192->19184 19192->19186 19192->19190 19194 7ff6d9fde60f 19193->19194 19195 7ff6d9feccca longjmp 19194->19195 19196 7ff6d9fdef40 472 API calls 19194->19196 19199 7ff6d9fde637 19195->19199 19197 7ff6d9fde626 19196->19197 19197->19195 19197->19199 19198 7ff6d9fe3448 166 API calls 19200 7ff6d9feccfe 19198->19200 19199->19198 19201 7ff6d9fde65f 19199->19201 19200->19143 19201->19143 19235 7ff6d9fdf934 19202->19235 19203 7ff6d9fdfb81 19212 7ff6d9fdfb46 19203->19212 19204 7ff6d9fdf94a EnterCriticalSection LeaveCriticalSection 19207 7ff6d9fdf994 _get_osfhandle 19204->19207 19204->19235 19205 7ff6d9fd3240 166 API calls 19205->19235 19206 7ff6d9ffbfec 176 API calls 19206->19235 19209 7ff6d9fe0010 9 API calls 19207->19209 19222 7ff6d9fdf9b7 19209->19222 19211 7ff6d9fdfb52 19211->19155 19265 7ff6d9fdfc30 GetProcessHeap HeapAlloc 19212->19265 19213 7ff6d9fed3fa EnterCriticalSection LeaveCriticalSection longjmp 19213->19222 19214 7ff6d9fdfbe6 GetLastError 19219 7ff6d9fdfbfc 19214->19219 19215 7ff6d9fed388 _get_osfhandle 19218 7ff6d9fe0010 9 API calls 19215->19218 19216 7ff6d9fe01b8 6 API calls 19216->19235 19217 7ff6d9fe01b8 6 API calls 19217->19222 19218->19222 19219->19155 19220 7ff6d9fed3b6 GetLastError 19220->19219 19220->19222 19221 7ff6d9ffe9b4 197 API calls 19223 7ff6d9fed474 longjmp 19221->19223 19222->19207 19222->19213 19222->19214 19222->19215 19222->19217 19222->19219 19222->19220 19222->19221 19222->19235 19223->19235 19224 7ff6d9fed2ac 19301 7ff6d9ffbf2c _get_osfhandle 19224->19301 19225 7ff6d9fed2c7 EnterCriticalSection LeaveCriticalSection _get_osfhandle 19227 7ff6d9ff7f00 357 API calls 19225->19227 19227->19235 19228 7ff6d9fdfa80 wcschr 19228->19235 19229 7ff6d9fed32e GetLastError 19229->19235 19230 7ff6d9fe3448 166 API calls 19232 7ff6d9fed34d longjmp 19230->19232 19231 7ff6d9fe3448 166 API calls 19231->19235 19232->19235 19233 7ff6d9fdfbd4 19233->19212 19242 7ff6d9fdfbe1 19233->19242 19234 7ff6d9fdfa42 19234->19155 19235->19203 19235->19204 19235->19205 19235->19206 19235->19207 19235->19212 19235->19214 19235->19216 19235->19222 19235->19224 19235->19225 19235->19228 19235->19229 19235->19230 19235->19231 19235->19233 19235->19234 19236 7ff6d9fdfaf0 19235->19236 19264 7ff6d9fff318 _get_osfhandle GetFileType 19235->19264 19237 7ff6d9fe01b8 6 API calls 19236->19237 19238 7ff6d9fdfb0a 19237->19238 19238->19212 19241 7ff6d9fdfb0e _get_osfhandle SetFilePointer 19238->19241 19239 7ff6d9fed4ee 19240 7ff6d9fd3278 166 API calls 19239->19240 19246 7ff6d9fed4fb 19240->19246 19241->19212 19247 7ff6d9fed533 19241->19247 19242->19239 19243 7ff6d9fed4dd 19242->19243 19244 7ff6d9ffbfec 176 API calls 19242->19244 19245 7ff6d9fd3278 166 API calls 19243->19245 19248 7ff6d9fed4c9 19244->19248 19249 7ff6d9fed4e9 19245->19249 19250 7ff6d9fed514 longjmp 19246->19250 19253 7ff6d9fe01b8 6 API calls 19246->19253 19247->19212 19255 7ff6d9fe34a0 166 API calls 19247->19255 19251 7ff6d9fe3448 166 API calls 19248->19251 19252 7ff6d9ffe91c 198 API calls 19249->19252 19250->19234 19254 7ff6d9fed4d1 19251->19254 19252->19239 19256 7ff6d9fed50b 19253->19256 19257 7ff6d9fe3448 166 API calls 19254->19257 19255->19212 19256->19250 19306 7ff6d9fff4a8 19256->19306 19257->19243 19262 7ff6d9fdf871 19259->19262 19260 7ff6d9fdf881 19260->19192 19261 7ff6d9fdf8c0 456 API calls 19263 7ff6d9fed203 19261->19263 19262->19260 19262->19261 19264->19235 19266 7ff6d9fed55c 19265->19266 19267 7ff6d9fdfc6a 19265->19267 19269 7ff6d9fd3278 166 API calls 19266->19269 19268 7ff6d9fed571 memset longjmp 19267->19268 19282 7ff6d9fdfca2 19267->19282 19271 7ff6d9fdfce7 19268->19271 19270 7ff6d9fed566 19269->19270 19270->19268 19271->19211 19272 7ff6d9fdfd73 19273 7ff6d9fed638 19272->19273 19274 7ff6d9fdfd99 19272->19274 19276 7ff6d9fd3278 166 API calls 19273->19276 19275 7ff6d9fdff70 2 API calls 19274->19275 19278 7ff6d9fdfda1 19275->19278 19277 7ff6d9fed64c 19276->19277 19279 7ff6d9fdff70 2 API calls 19277->19279 19278->19211 19280 7ff6d9fed654 longjmp 19279->19280 19284 7ff6d9fdff4f 19280->19284 19282->19271 19282->19272 19283 7ff6d9fe18d4 197 API calls 19282->19283 19282->19284 19286 7ff6d9fed609 19282->19286 19292 7ff6d9fed5b5 memmove 19282->19292 19314 7ff6d9fdd840 GetProcessHeap HeapAlloc 19282->19314 19283->19282 19285 7ff6d9fe0129 19284->19285 19289 7ff6d9fed6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 19284->19289 19293 7ff6d9fe0131 SetFilePointer 19284->19293 19287 7ff6d9fe0167 MultiByteToWideChar 19285->19287 19288 7ff6d9fd3278 166 API calls 19286->19288 19294 7ff6d9fe0190 19287->19294 19291 7ff6d9fed615 19288->19291 19289->19294 19296 7ff6d9fdff70 2 API calls 19291->19296 19295 7ff6d9fd3278 166 API calls 19292->19295 19293->19285 19294->19211 19297 7ff6d9fed5e6 19295->19297 19298 7ff6d9fed61f longjmp 19296->19298 19299 7ff6d9fdff70 2 API calls 19297->19299 19298->19273 19300 7ff6d9fed5f0 longjmp 19299->19300 19300->19286 19302 7ff6d9ff8450 367 API calls 19301->19302 19303 7ff6d9ffbf59 19302->19303 19304 7ff6d9ffbf6b GetLastError 19303->19304 19305 7ff6d9ffbf62 19303->19305 19305->19219 19307 7ff6d9fff4c1 GetStdHandle 19306->19307 19308 7ff6d9ff8450 367 API calls 19307->19308 19309 7ff6d9fff4ea 19308->19309 19310 7ff6d9fff4ee wcschr 19309->19310 19311 7ff6d9fff509 19309->19311 19310->19307 19310->19311 19312 7ff6d9fe8f80 7 API calls 19311->19312 19313 7ff6d9fff519 19312->19313 19313->19250 19315 7ff6d9fdd8b5 19314->19315 19316 7ff6d9fddefa 19314->19316 19318 7ff6d9fddf04 19315->19318 19322 7ff6d9fdd8e5 19315->19322 19317 7ff6d9fd3278 166 API calls 19316->19317 19317->19318 19319 7ff6d9fddf15 longjmp 19318->19319 19341 7ff6d9fdda67 19318->19341 19319->19341 19320 7ff6d9fdff70 2 API calls 19321 7ff6d9fddf34 19320->19321 19323 7ff6d9fdff70 2 API calls 19321->19323 19324 7ff6d9fdd94d GetProcessHeap HeapAlloc 19322->19324 19322->19341 19344 7ff6d9fddeb6 19322->19344 19325 7ff6d9fddf3c 19323->19325 19333 7ff6d9fdd97c 19324->19333 19324->19344 19325->19282 19326 7ff6d9fd3278 166 API calls 19327 7ff6d9fddec5 19326->19327 19328 7ff6d9fddeda longjmp 19327->19328 19327->19341 19328->19341 19329 7ff6d9fe081c 166 API calls 19329->19333 19330 7ff6d9fddbce wcstol 19330->19333 19331 7ff6d9fddaa9 19332 7ff6d9fdde4a 19331->19332 19338 7ff6d9fddaf3 19331->19338 19331->19341 19334 7ff6d9fd3278 166 API calls 19332->19334 19332->19341 19333->19327 19333->19329 19333->19330 19333->19331 19333->19333 19335 7ff6d9fddc43 19333->19335 19333->19341 19336 7ff6d9fdde69 longjmp 19334->19336 19337 7ff6d9fddc52 wcstol 19335->19337 19335->19341 19336->19341 19337->19341 19339 7ff6d9fddb80 _wcsnicmp 19338->19339 19338->19341 19339->19338 19340 7ff6d9fddd0f 19339->19340 19342 7ff6d9fddd30 memmove 19340->19342 19343 7ff6d9fdde97 memmove 19340->19343 19341->19320 19342->19341 19343->19344 19344->19326 19349 7ff6d9fdf173 19381 7ff6d9fdf046 19349->19381 19350 7ff6d9fdf5aa 19355 7ff6d9fdf860 456 API calls 19350->19355 19351 7ff6d9fdf0c4 iswdigit 19351->19350 19371 7ff6d9fdf0ea 19351->19371 19352 7ff6d9fdf1fc iswdigit 19352->19381 19353 7ff6d9fdf1b7 iswspace 19353->19351 19354 7ff6d9fdf1ce wcschr 19353->19354 19354->19351 19354->19352 19362 7ff6d9fdf4af 19355->19362 19356 7ff6d9fdf558 iswspace 19358 7ff6d9fdf6cd wcschr 19356->19358 19356->19381 19357 7ff6d9fdf10e 19358->19381 19359 7ff6d9fdf860 456 API calls 19360 7ff6d9fdf4a6 19359->19360 19360->19362 19367 7ff6d9fdf860 456 API calls 19360->19367 19361 7ff6d9fdf8c0 456 API calls 19361->19381 19362->19357 19366 7ff6d9fdf860 456 API calls 19362->19366 19363 7ff6d9fdf471 19368 7ff6d9fdf860 456 API calls 19363->19368 19364 7ff6d9fdf370 19364->19357 19365 7ff6d9fd3278 166 API calls 19364->19365 19369 7ff6d9fed1f3 19365->19369 19370 7ff6d9fdf632 iswspace 19366->19370 19367->19362 19368->19371 19370->19362 19372 7ff6d9fdf648 wcschr 19370->19372 19371->19357 19371->19359 19372->19362 19373 7ff6d9fdf65f iswdigit 19372->19373 19373->19357 19375 7ff6d9fdf67b 19373->19375 19374 7ff6d9fdf32f iswspace 19374->19364 19376 7ff6d9fdf342 wcschr 19374->19376 19377 7ff6d9fdf860 456 API calls 19375->19377 19376->19364 19378 7ff6d9fdf2b8 iswdigit 19376->19378 19377->19357 19378->19381 19379 7ff6d9fdf3d2 iswspace 19380 7ff6d9fdf3e9 wcschr 19379->19380 19379->19381 19380->19381 19381->19350 19381->19351 19381->19352 19381->19353 19381->19356 19381->19361 19381->19363 19381->19364 19381->19371 19381->19374 19381->19378 19381->19379 19382 7ff6d9fdf860 456 API calls 19381->19382 19382->19381 16765 7ff6d9fe8d80 16766 7ff6d9fe8da4 16765->16766 16767 7ff6d9fe8db6 16766->16767 16768 7ff6d9fe8dbf Sleep 16766->16768 16769 7ff6d9fe8ddb _amsg_exit 16767->16769 16775 7ff6d9fe8de7 16767->16775 16768->16766 16769->16775 16770 7ff6d9fe8e56 _initterm 16772 7ff6d9fe8e73 _IsNonwritableInCurrentImage 16770->16772 16771 7ff6d9fe8e3c 16779 7ff6d9fe37d8 GetCurrentThreadId OpenThread 16772->16779 16775->16770 16775->16771 16775->16772 16812 7ff6d9fe04f4 16779->16812 16781 7ff6d9fe3839 HeapSetInformation RegOpenKeyExW 16782 7ff6d9fe388d 16781->16782 16783 7ff6d9fee9f8 RegQueryValueExW RegCloseKey 16781->16783 16784 7ff6d9fe5920 VirtualQuery VirtualQuery 16782->16784 16786 7ff6d9feea41 GetThreadLocale 16783->16786 16785 7ff6d9fe38ab GetConsoleOutputCP GetCPInfo 16784->16785 16785->16786 16787 7ff6d9fe38f1 memset 16785->16787 16796 7ff6d9fe3919 16786->16796 16787->16796 16788 7ff6d9fe4d5c 391 API calls 16788->16796 16789 7ff6d9feeb27 _setjmp 16789->16796 16790 7ff6d9fe3948 _setjmp 16790->16796 16791 7ff6d9fd3240 166 API calls 16791->16796 16792 7ff6d9fe01b8 6 API calls 16792->16796 16793 7ff6d9fe4c1c 166 API calls 16793->16796 16794 7ff6d9feeb71 _setmode 16794->16796 16795 7ff6d9ff8530 370 API calls 16795->16796 16796->16783 16796->16788 16796->16789 16796->16790 16796->16791 16796->16792 16796->16793 16796->16794 16796->16795 16797 7ff6d9fe86f0 182 API calls 16796->16797 16798 7ff6d9fe0580 12 API calls 16796->16798 16800 7ff6d9fe58e4 EnterCriticalSection LeaveCriticalSection 16796->16800 16802 7ff6d9fdbe00 647 API calls 16796->16802 16803 7ff6d9fddf60 481 API calls 16796->16803 16804 7ff6d9fe58e4 EnterCriticalSection LeaveCriticalSection 16796->16804 16797->16796 16799 7ff6d9fe398b GetConsoleOutputCP GetCPInfo 16798->16799 16801 7ff6d9fe04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16799->16801 16800->16796 16801->16796 16802->16796 16803->16796 16805 7ff6d9feebbe GetConsoleOutputCP GetCPInfo 16804->16805 16806 7ff6d9fe04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16805->16806 16807 7ff6d9feebe6 16806->16807 16808 7ff6d9fdbe00 647 API calls 16807->16808 16809 7ff6d9fe0580 12 API calls 16807->16809 16808->16807 16810 7ff6d9feebfc GetConsoleOutputCP GetCPInfo 16809->16810 16811 7ff6d9fe04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16810->16811 16811->16796 16813 7ff6d9fe0504 16812->16813 16814 7ff6d9fe051e GetModuleHandleW 16813->16814 16815 7ff6d9fe054d GetProcAddress 16813->16815 16816 7ff6d9fe056c SetThreadLocale 16813->16816 16814->16813 16815->16813 20175 7ff6d9fe3290 20189 7ff6d9fe32e4 20175->20189 20178 7ff6d9fe32b1 20181 7ff6d9fe32cb 20178->20181 20183 7ff6d9fe3448 166 API calls 20178->20183 20179 7ff6d9fee80c 20180 7ff6d9fd3240 166 API calls 20179->20180 20182 7ff6d9fee825 20180->20182 20182->20181 20204 7ff6d9fff318 _get_osfhandle GetFileType 20182->20204 20183->20181 20185 7ff6d9fee839 20186 7ff6d9fe01b8 6 API calls 20185->20186 20187 7ff6d9fee83d 20185->20187 20186->20187 20187->20181 20188 7ff6d9fd3278 166 API calls 20187->20188 20188->20181 20190 7ff6d9fe3305 20189->20190 20191 7ff6d9fee8b6 20189->20191 20192 7ff6d9fe33a8 iswspace 20190->20192 20193 7ff6d9fe330a 20192->20193 20193->20191 20194 7ff6d9fe331c iswspace 20193->20194 20195 7ff6d9fe3338 20193->20195 20194->20193 20194->20195 20196 7ff6d9fe33a8 iswspace 20195->20196 20197 7ff6d9fe3340 20196->20197 20198 7ff6d9fe32a4 20197->20198 20199 7ff6d9fe3370 20197->20199 20200 7ff6d9fee876 _wcsnicmp 20197->20200 20198->20178 20198->20179 20201 7ff6d9fe3376 20199->20201 20202 7ff6d9fe3380 _wcsnicmp 20199->20202 20200->20198 20200->20201 20201->20198 20203 7ff6d9fd3278 166 API calls 20201->20203 20202->20198 20202->20201 20203->20198 20204->20185 20241 7ff6d9fdf59b 20272 7ff6d9fdf046 20241->20272 20242 7ff6d9fed1b6 20242->20242 20243 7ff6d9fdf32f iswspace 20246 7ff6d9fdf342 wcschr 20243->20246 20251 7ff6d9fdf370 20243->20251 20244 7ff6d9fdf2b8 iswdigit 20244->20272 20245 7ff6d9fdf860 456 API calls 20245->20272 20246->20244 20246->20251 20247 7ff6d9fdf860 456 API calls 20249 7ff6d9fdf4a6 20247->20249 20248 7ff6d9fdf3d2 iswspace 20250 7ff6d9fdf3e9 wcschr 20248->20250 20248->20272 20256 7ff6d9fdf860 456 API calls 20249->20256 20258 7ff6d9fdf4af 20249->20258 20250->20272 20252 7ff6d9fd3278 166 API calls 20251->20252 20255 7ff6d9fdf10e 20251->20255 20254 7ff6d9fed1f3 20252->20254 20253 7ff6d9fdf471 20257 7ff6d9fdf860 456 API calls 20253->20257 20256->20258 20269 7ff6d9fdf0ea 20257->20269 20258->20255 20259 7ff6d9fdf860 456 API calls 20258->20259 20260 7ff6d9fdf632 iswspace 20259->20260 20260->20258 20262 7ff6d9fdf648 wcschr 20260->20262 20261 7ff6d9fdf8c0 456 API calls 20261->20272 20262->20258 20263 7ff6d9fdf65f iswdigit 20262->20263 20263->20255 20264 7ff6d9fdf67b 20263->20264 20265 7ff6d9fdf860 456 API calls 20264->20265 20265->20255 20266 7ff6d9fdf558 iswspace 20270 7ff6d9fdf6cd wcschr 20266->20270 20266->20272 20267 7ff6d9fdf0c4 iswdigit 20268 7ff6d9fdf5aa 20267->20268 20267->20269 20271 7ff6d9fdf860 456 API calls 20268->20271 20269->20247 20269->20255 20270->20272 20271->20258 20272->20242 20272->20243 20272->20244 20272->20245 20272->20248 20272->20251 20272->20253 20272->20261 20272->20266 20272->20267 20272->20268 20272->20269 20273 7ff6d9fdf1fc iswdigit 20272->20273 20274 7ff6d9fdf1b7 iswspace 20272->20274 20273->20272 20274->20267 20275 7ff6d9fdf1ce wcschr 20274->20275 20275->20267 20275->20273 21234 7ff6d9fdf6bb 21235 7ff6d9fdf6c8 21234->21235 21265 7ff6d9fdf046 21234->21265 21235->21235 21236 7ff6d9fdf32f iswspace 21239 7ff6d9fdf342 wcschr 21236->21239 21246 7ff6d9fdf370 21236->21246 21237 7ff6d9fdf2b8 iswdigit 21237->21265 21238 7ff6d9fdf860 456 API calls 21238->21265 21239->21237 21239->21246 21240 7ff6d9fdf860 456 API calls 21242 7ff6d9fdf4a6 21240->21242 21241 7ff6d9fdf3d2 iswspace 21243 7ff6d9fdf3e9 wcschr 21241->21243 21241->21265 21245 7ff6d9fdf860 456 API calls 21242->21245 21249 7ff6d9fdf4af 21242->21249 21243->21265 21244 7ff6d9fdf10e 21245->21249 21246->21244 21247 7ff6d9fd3278 166 API calls 21246->21247 21248 7ff6d9fed1f3 21247->21248 21249->21244 21251 7ff6d9fdf860 456 API calls 21249->21251 21250 7ff6d9fdf471 21252 7ff6d9fdf860 456 API calls 21250->21252 21253 7ff6d9fdf632 iswspace 21251->21253 21262 7ff6d9fdf0ea 21252->21262 21253->21249 21254 7ff6d9fdf648 wcschr 21253->21254 21254->21249 21255 7ff6d9fdf65f iswdigit 21254->21255 21255->21244 21256 7ff6d9fdf67b 21255->21256 21258 7ff6d9fdf860 456 API calls 21256->21258 21257 7ff6d9fdf8c0 456 API calls 21257->21265 21258->21244 21259 7ff6d9fdf558 iswspace 21263 7ff6d9fdf6cd wcschr 21259->21263 21259->21265 21260 7ff6d9fdf0c4 iswdigit 21261 7ff6d9fdf5aa 21260->21261 21260->21262 21264 7ff6d9fdf860 456 API calls 21261->21264 21262->21240 21262->21244 21263->21265 21264->21249 21265->21236 21265->21237 21265->21238 21265->21241 21265->21246 21265->21250 21265->21257 21265->21259 21265->21260 21265->21261 21265->21262 21266 7ff6d9fdf1fc iswdigit 21265->21266 21267 7ff6d9fdf1b7 iswspace 21265->21267 21266->21265 21267->21260 21268 7ff6d9fdf1ce wcschr 21267->21268 21268->21260 21268->21266 21629 7ff6d9fdf5f2 21660 7ff6d9fdf046 21629->21660 21630 7ff6d9fdf610 21630->21630 21631 7ff6d9fdf32f iswspace 21633 7ff6d9fdf342 wcschr 21631->21633 21636 7ff6d9fdf370 21631->21636 21632 7ff6d9fdf2b8 iswdigit 21632->21660 21633->21632 21633->21636 21634 7ff6d9fdf860 456 API calls 21638 7ff6d9fdf4a6 21634->21638 21635 7ff6d9fdf3d2 iswspace 21639 7ff6d9fdf3e9 wcschr 21635->21639 21635->21660 21637 7ff6d9fd3278 166 API calls 21636->21637 21641 7ff6d9fdf10e 21636->21641 21640 7ff6d9fed1f3 21637->21640 21642 7ff6d9fdf860 456 API calls 21638->21642 21643 7ff6d9fdf4af 21638->21643 21639->21660 21642->21643 21643->21641 21645 7ff6d9fdf860 456 API calls 21643->21645 21644 7ff6d9fdf471 21646 7ff6d9fdf860 456 API calls 21644->21646 21647 7ff6d9fdf632 iswspace 21645->21647 21657 7ff6d9fdf0ea 21646->21657 21647->21643 21648 7ff6d9fdf648 wcschr 21647->21648 21648->21643 21650 7ff6d9fdf65f iswdigit 21648->21650 21649 7ff6d9fdf860 456 API calls 21649->21660 21650->21641 21651 7ff6d9fdf67b 21650->21651 21653 7ff6d9fdf860 456 API calls 21651->21653 21652 7ff6d9fdf8c0 456 API calls 21652->21660 21653->21641 21654 7ff6d9fdf558 iswspace 21658 7ff6d9fdf6cd wcschr 21654->21658 21654->21660 21655 7ff6d9fdf0c4 iswdigit 21656 7ff6d9fdf5aa 21655->21656 21655->21657 21659 7ff6d9fdf860 456 API calls 21656->21659 21657->21634 21657->21641 21658->21660 21659->21643 21660->21630 21660->21631 21660->21632 21660->21635 21660->21636 21660->21644 21660->21649 21660->21652 21660->21654 21660->21655 21660->21656 21660->21657 21661 7ff6d9fdf1fc iswdigit 21660->21661 21662 7ff6d9fdf1b7 iswspace 21660->21662 21661->21660 21662->21655 21663 7ff6d9fdf1ce wcschr 21662->21663 21663->21655 21663->21661 22666 7ff6d9fdf318 22667 7ff6d9fdf370 22666->22667 22689 7ff6d9fdf046 22666->22689 22668 7ff6d9fd3278 166 API calls 22667->22668 22677 7ff6d9fdf10e 22667->22677 22671 7ff6d9fed1f3 22668->22671 22669 7ff6d9fdf32f iswspace 22669->22667 22672 7ff6d9fdf342 wcschr 22669->22672 22670 7ff6d9fdf2b8 iswdigit 22670->22689 22672->22667 22672->22670 22673 7ff6d9fdf860 456 API calls 22675 7ff6d9fdf4a6 22673->22675 22674 7ff6d9fdf3d2 iswspace 22676 7ff6d9fdf3e9 wcschr 22674->22676 22674->22689 22678 7ff6d9fdf860 456 API calls 22675->22678 22680 7ff6d9fdf4af 22675->22680 22676->22689 22678->22680 22679 7ff6d9fdf8c0 456 API calls 22679->22689 22680->22677 22682 7ff6d9fdf860 456 API calls 22680->22682 22681 7ff6d9fdf471 22683 7ff6d9fdf860 456 API calls 22681->22683 22684 7ff6d9fdf632 iswspace 22682->22684 22693 7ff6d9fdf0ea 22683->22693 22684->22680 22685 7ff6d9fdf648 wcschr 22684->22685 22685->22680 22686 7ff6d9fdf65f iswdigit 22685->22686 22686->22677 22687 7ff6d9fdf67b 22686->22687 22688 7ff6d9fdf860 456 API calls 22687->22688 22688->22677 22689->22667 22689->22669 22689->22670 22689->22674 22689->22679 22689->22681 22690 7ff6d9fdf558 iswspace 22689->22690 22691 7ff6d9fdf0c4 iswdigit 22689->22691 22692 7ff6d9fdf5aa 22689->22692 22689->22693 22695 7ff6d9fdf860 456 API calls 22689->22695 22697 7ff6d9fdf1fc iswdigit 22689->22697 22698 7ff6d9fdf1b7 iswspace 22689->22698 22690->22689 22694 7ff6d9fdf6cd wcschr 22690->22694 22691->22692 22691->22693 22696 7ff6d9fdf860 456 API calls 22692->22696 22693->22673 22693->22677 22694->22689 22695->22689 22696->22680 22697->22689 22698->22691 22699 7ff6d9fdf1ce wcschr 22698->22699 22699->22691 22699->22697 16818 7ff6d9fe9730 16819 7ff6d9fe973c 16818->16819 16822 7ff6d9fe8b00 LdrResolveDelayLoadedAPI 16819->16822 16821 7ff6d9fe977b 16822->16821

    Executed Functions

    Function 00007FF6D9FF7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff6d9ff7f00-7ff6d9ff7f57 GetStdHandle 1 7ff6d9ff7f6b-7ff6d9ff7f74 0->1 2 7ff6d9ff7f59-7ff6d9ff7f68 _get_osfhandle 0->2 3 7ff6d9ff83df-7ff6d9ff8424 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 1->3 4 7ff6d9ff7f7a-7ff6d9ff7f84 1->4 2->1 6 7ff6d9ff8426-7ff6d9ff8445 call 7ff6d9fe8f80 3->6 4->3 5 7ff6d9ff7f8a-7ff6d9ff7f91 4->5 5->3 7 7ff6d9ff7f97-7ff6d9ff7fac GetConsoleScreenBufferInfo 5->7 7->3 9 7ff6d9ff7fb2-7ff6d9ff7ff2 call 7ff6da001398 7->9 13 7ff6d9ff7ff8-7ff6d9ff8052 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 9->13 14 7ff6d9ff8054-7ff6d9ff805f call 7ff6d9fe58e4 13->14 15 7ff6d9ff8087-7ff6d9ff808a 13->15 24 7ff6d9ff8084 14->24 25 7ff6d9ff8061-7ff6d9ff8081 GetProcessHeap RtlFreeHeap 14->25 17 7ff6d9ff80d1-7ff6d9ff80d4 15->17 18 7ff6d9ff808c-7ff6d9ff80a1 15->18 19 7ff6d9ff80f6-7ff6d9ff80f9 17->19 20 7ff6d9ff80d6-7ff6d9ff80f1 GetProcessHeap RtlFreeHeap 17->20 18->17 22 7ff6d9ff80a3-7ff6d9ff80ab 18->22 19->6 20->19 23 7ff6d9ff80b3-7ff6d9ff80ba 22->23 26 7ff6d9ff810e 23->26 27 7ff6d9ff80bc-7ff6d9ff80c1 23->27 24->15 25->24 30 7ff6d9ff8110-7ff6d9ff8113 26->30 28 7ff6d9ff80c3-7ff6d9ff80c8 27->28 29 7ff6d9ff8109-7ff6d9ff810c 27->29 31 7ff6d9ff80fe-7ff6d9ff8107 28->31 32 7ff6d9ff80ca-7ff6d9ff80cf 28->32 33 7ff6d9ff8115-7ff6d9ff8119 29->33 30->17 30->33 31->30 32->17 32->23 33->17 34 7ff6d9ff811b-7ff6d9ff8129 33->34 35 7ff6d9ff814f 34->35 36 7ff6d9ff812b-7ff6d9ff8131 34->36 37 7ff6d9ff8155-7ff6d9ff8158 35->37 38 7ff6d9ff8134-7ff6d9ff813e 36->38 39 7ff6d9ff824f-7ff6d9ff827f call 7ff6da0010d8 37->39 40 7ff6d9ff815e-7ff6d9ff8162 37->40 41 7ff6d9ff8140-7ff6d9ff8146 38->41 42 7ff6d9ff8148-7ff6d9ff814d 38->42 49 7ff6d9ff8285-7ff6d9ff829f call 7ff6d9fff22c GetConsoleScreenBufferInfo 39->49 50 7ff6d9ff8333-7ff6d9ff833a call 7ff6d9fe97bc 39->50 40->39 43 7ff6d9ff8168-7ff6d9ff8185 _wcsnicmp 40->43 41->38 41->42 42->35 42->37 45 7ff6d9ff818b-7ff6d9ff81a8 _wcsnicmp 43->45 46 7ff6d9ff8249 43->46 45->46 48 7ff6d9ff81ae-7ff6d9ff81cb _wcsnicmp 45->48 46->39 48->46 52 7ff6d9ff81cd-7ff6d9ff81ea _wcsnicmp 48->52 57 7ff6d9ff82a1-7ff6d9ff82bb 49->57 58 7ff6d9ff82be-7ff6d9ff82c2 49->58 60 7ff6d9ff833c-7ff6d9ff8346 call 7ff6da02c028 50->60 61 7ff6d9ff834b-7ff6d9ff834f 50->61 52->46 55 7ff6d9ff81ec-7ff6d9ff8209 _wcsnicmp 52->55 55->46 59 7ff6d9ff820b-7ff6d9ff8228 _wcsnicmp 55->59 57->58 62 7ff6d9ff82c5-7ff6d9ff82cd 58->62 59->46 63 7ff6d9ff822a-7ff6d9ff8247 _wcsnicmp 59->63 60->61 65 7ff6d9ff8352-7ff6d9ff835a 61->65 62->62 67 7ff6d9ff82cf-7ff6d9ff8331 SetConsoleCursorPosition FillConsoleOutputCharacterW WriteConsoleW call 7ff6d9fe0580 62->67 63->39 63->46 65->65 66 7ff6d9ff835c 65->66 69 7ff6d9ff835f-7ff6d9ff8362 66->69 67->69 71 7ff6d9ff8384 69->71 72 7ff6d9ff8364-7ff6d9ff837f GetProcessHeap RtlFreeHeap 69->72 74 7ff6d9ff8387-7ff6d9ff838f 71->74 72->71 74->74 75 7ff6d9ff8391-7ff6d9ff83c0 GetProcessHeap HeapAlloc 74->75 76 7ff6d9ff83c2-7ff6d9ff83d8 call 7ff6d9fe13e0 75->76 77 7ff6d9ff83dd 75->77 76->13 77->6
    APIs
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF7F44
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FF7F5C
    • GetConsoleScreenBufferInfo.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF7F9E
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF7FFF
    • ReadConsoleW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8020
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8036
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8061
    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8075
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF80D6
    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF80EA
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF8177
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF819A
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF81BD
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF81DC
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF81FB
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF821A
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FF8239
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8291
    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF82D7
    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF82FB
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF831A
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8364
    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8378
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF839A
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF83AE
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF83E6
    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8403
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6D9FF8418
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
    • API String ID: 3637805771-3100821235
    • Opcode ID: 8d8142b9be1a5613caafbab5f3326282510bdfa90e9b839c504153badec4a604
    • Instruction ID: 670b645e408237c70558cdbab8a5c62852fd06ba1cc24d251279d5bfb1498718
    • Opcode Fuzzy Hash: 8d8142b9be1a5613caafbab5f3326282510bdfa90e9b839c504153badec4a604
    • Instruction Fuzzy Hash: 89E1B632A086538AE7208F66E8441BD7BA5FB49B99F448672DD1FD3791DF3CA428C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 7ff6d9fdaa54-7ff6d9fdaa98 call 7ff6d9fdcd90 83 7ff6d9fdaa9e 80->83 84 7ff6d9febf5a-7ff6d9febf70 call 7ff6d9fe4c1c call 7ff6d9fdff70 80->84 85 7ff6d9fdaaa5-7ff6d9fdaaa8 83->85 87 7ff6d9fdacde-7ff6d9fdad00 85->87 88 7ff6d9fdaaae-7ff6d9fdaac8 wcschr 85->88 94 7ff6d9fdad06 87->94 88->87 90 7ff6d9fdaace-7ff6d9fdaae9 towlower 88->90 90->87 93 7ff6d9fdaaef-7ff6d9fdaaf3 90->93 96 7ff6d9fdaaf9-7ff6d9fdaafd 93->96 97 7ff6d9febeb7-7ff6d9febec4 call 7ff6d9ffeaf0 93->97 98 7ff6d9fdad0d-7ff6d9fdad1f 94->98 100 7ff6d9fdab03-7ff6d9fdab07 96->100 101 7ff6d9febbcf 96->101 107 7ff6d9febf43-7ff6d9febf59 call 7ff6d9fe4c1c 97->107 108 7ff6d9febec6-7ff6d9febed8 call 7ff6d9fd3240 97->108 102 7ff6d9fdad22-7ff6d9fdad2a call 7ff6d9fe13e0 98->102 104 7ff6d9fdab7d-7ff6d9fdab81 100->104 105 7ff6d9fdab09-7ff6d9fdab0d 100->105 109 7ff6d9febbde 101->109 102->85 110 7ff6d9febe63 104->110 111 7ff6d9fdab87-7ff6d9fdab95 104->111 105->110 112 7ff6d9fdab13-7ff6d9fdab17 105->112 107->84 108->107 126 7ff6d9febeda-7ff6d9febee9 call 7ff6d9fd3240 108->126 121 7ff6d9febbea-7ff6d9febbec 109->121 118 7ff6d9febe72-7ff6d9febe88 call 7ff6d9fd3278 call 7ff6d9fe4c1c 110->118 116 7ff6d9fdab98-7ff6d9fdaba0 111->116 112->104 117 7ff6d9fdab19-7ff6d9fdab1d 112->117 116->116 122 7ff6d9fdaba2-7ff6d9fdabb3 call 7ff6d9fdcd90 116->122 117->109 123 7ff6d9fdab23-7ff6d9fdab27 117->123 145 7ff6d9febe89-7ff6d9febe8c 118->145 131 7ff6d9febbf8-7ff6d9febc01 121->131 122->84 136 7ff6d9fdabb9-7ff6d9fdabde call 7ff6d9fe13e0 call 7ff6d9fe33a8 122->136 123->121 124 7ff6d9fdab2d-7ff6d9fdab31 123->124 124->94 128 7ff6d9fdab37-7ff6d9fdab3b 124->128 140 7ff6d9febef3-7ff6d9febef9 126->140 141 7ff6d9febeeb-7ff6d9febef1 126->141 128->131 133 7ff6d9fdab41-7ff6d9fdab45 128->133 131->98 137 7ff6d9fdab4b-7ff6d9fdab4f 133->137 138 7ff6d9febc06-7ff6d9febc2a call 7ff6d9fe13e0 133->138 170 7ff6d9fdac75 136->170 171 7ff6d9fdabe4-7ff6d9fdabe7 136->171 143 7ff6d9fdab55-7ff6d9fdab78 call 7ff6d9fe13e0 137->143 144 7ff6d9fdad2f-7ff6d9fdad33 137->144 157 7ff6d9febc2c-7ff6d9febc4c _wcsnicmp 138->157 158 7ff6d9febc5a-7ff6d9febc61 138->158 140->107 146 7ff6d9febefb-7ff6d9febf0d call 7ff6d9fd3240 140->146 141->107 141->140 143->85 149 7ff6d9febc66-7ff6d9febc8a call 7ff6d9fe13e0 144->149 150 7ff6d9fdad39-7ff6d9fdad3d 144->150 153 7ff6d9febe92-7ff6d9febeaa call 7ff6d9fd3278 call 7ff6d9fe4c1c 145->153 154 7ff6d9fdacbe 145->154 146->107 177 7ff6d9febf0f-7ff6d9febf21 call 7ff6d9fd3240 146->177 183 7ff6d9febcc4-7ff6d9febcdc 149->183 184 7ff6d9febc8c-7ff6d9febcaa _wcsnicmp 149->184 159 7ff6d9fdad43-7ff6d9fdad49 150->159 160 7ff6d9febcde-7ff6d9febd02 call 7ff6d9fe13e0 150->160 206 7ff6d9febeab-7ff6d9febeb6 call 7ff6d9fe4c1c 153->206 164 7ff6d9fdacc0-7ff6d9fdacc7 154->164 157->158 167 7ff6d9febc4e-7ff6d9febc55 157->167 172 7ff6d9febd31-7ff6d9febd4f _wcsnicmp 158->172 168 7ff6d9fdad4f-7ff6d9fdad68 159->168 169 7ff6d9febd5e-7ff6d9febd65 159->169 199 7ff6d9febd04-7ff6d9febd24 _wcsnicmp 160->199 200 7ff6d9febd2a 160->200 164->164 174 7ff6d9fdacc9-7ff6d9fdacda 164->174 178 7ff6d9febbb3-7ff6d9febbb7 167->178 180 7ff6d9fdad6a 168->180 181 7ff6d9fdad6d-7ff6d9fdad70 168->181 169->168 179 7ff6d9febd6b-7ff6d9febd73 169->179 187 7ff6d9fdac77-7ff6d9fdac7f 170->187 171->154 182 7ff6d9fdabed-7ff6d9fdac0b call 7ff6d9fdcd90 * 2 171->182 189 7ff6d9febd55 172->189 190 7ff6d9febbc2-7ff6d9febbca 172->190 174->87 177->107 202 7ff6d9febf23-7ff6d9febf35 call 7ff6d9fd3240 177->202 191 7ff6d9febbba-7ff6d9febbbd call 7ff6d9fe13e0 178->191 192 7ff6d9febe4a-7ff6d9febe5e 179->192 193 7ff6d9febd79-7ff6d9febd8b iswxdigit 179->193 180->181 181->102 182->206 220 7ff6d9fdac11-7ff6d9fdac14 182->220 183->172 184->183 197 7ff6d9febcac-7ff6d9febcbf 184->197 187->154 195 7ff6d9fdac81-7ff6d9fdac85 187->195 189->169 190->85 191->190 192->191 193->192 204 7ff6d9febd91-7ff6d9febda3 iswxdigit 193->204 201 7ff6d9fdac88-7ff6d9fdac8f 195->201 197->178 199->200 207 7ff6d9febbac 199->207 200->172 201->201 210 7ff6d9fdac91-7ff6d9fdac94 201->210 202->107 222 7ff6d9febf37-7ff6d9febf3e call 7ff6d9fd3240 202->222 204->192 208 7ff6d9febda9-7ff6d9febdbb iswxdigit 204->208 206->97 207->178 208->192 215 7ff6d9febdc1-7ff6d9febdd7 iswdigit 208->215 210->154 213 7ff6d9fdac96-7ff6d9fdacaa wcsrchr 210->213 213->154 221 7ff6d9fdacac-7ff6d9fdacb9 call 7ff6d9fe1300 213->221 218 7ff6d9febddf-7ff6d9febdeb towlower 215->218 219 7ff6d9febdd9-7ff6d9febddd 215->219 225 7ff6d9febdee-7ff6d9febe0f iswdigit 218->225 219->225 220->206 226 7ff6d9fdac1a-7ff6d9fdac33 memset 220->226 221->154 222->107 227 7ff6d9febe11-7ff6d9febe15 225->227 228 7ff6d9febe17-7ff6d9febe23 towlower 225->228 226->170 229 7ff6d9fdac35-7ff6d9fdac4b wcschr 226->229 230 7ff6d9febe26-7ff6d9febe45 call 7ff6d9fe13e0 227->230 228->230 229->170 231 7ff6d9fdac4d-7ff6d9fdac54 229->231 230->192 232 7ff6d9fdad72-7ff6d9fdad91 wcschr 231->232 233 7ff6d9fdac5a-7ff6d9fdac6f wcschr 231->233 235 7ff6d9fdaf03-7ff6d9fdaf07 232->235 236 7ff6d9fdad97-7ff6d9fdadac wcschr 232->236 233->170 233->232 235->170 236->235 237 7ff6d9fdadb2-7ff6d9fdadc7 wcschr 236->237 237->235 238 7ff6d9fdadcd-7ff6d9fdade2 wcschr 237->238 238->235 239 7ff6d9fdade8-7ff6d9fdadfd wcschr 238->239 239->235 240 7ff6d9fdae03-7ff6d9fdae18 wcschr 239->240 240->235 241 7ff6d9fdae1e-7ff6d9fdae21 240->241 242 7ff6d9fdae24-7ff6d9fdae27 241->242 242->235 243 7ff6d9fdae2d-7ff6d9fdae40 iswspace 242->243 244 7ff6d9fdae42-7ff6d9fdae49 243->244 245 7ff6d9fdae4b-7ff6d9fdae5e 243->245 244->242 246 7ff6d9fdae66-7ff6d9fdae6d 245->246 246->246 247 7ff6d9fdae6f-7ff6d9fdae77 246->247 247->118 248 7ff6d9fdae7d-7ff6d9fdae97 call 7ff6d9fe13e0 247->248 251 7ff6d9fdae9a-7ff6d9fdaea4 248->251 252 7ff6d9fdaebc-7ff6d9fdaef8 call 7ff6d9fe0a6c call 7ff6d9fdff70 * 2 251->252 253 7ff6d9fdaea6-7ff6d9fdaead 251->253 252->187 261 7ff6d9fdaefe 252->261 253->252 254 7ff6d9fdaeaf-7ff6d9fdaeba 253->254 254->251 254->252 261->145
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
    • String ID: :$:$:$:ON$OFF
    • API String ID: 4076514806-467788257
    • Opcode ID: 2c3668651f4979ca9faab3cebc12e13a9f78b58cac88e34d12c38504de92a7c5
    • Instruction ID: a6f8eda46d149adf935c0a5b5b2009be34bf17407c21bb22e82a2902d70c114c
    • Opcode Fuzzy Hash: 2c3668651f4979ca9faab3cebc12e13a9f78b58cac88e34d12c38504de92a7c5
    • Instruction Fuzzy Hash: 2222E322E0C64386FB649F2699542BD7691EF89B89F488077CA0EC7795DF3CE460C344
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 262 7ff6d9fe51ec-7ff6d9fe5248 call 7ff6d9fe5508 GetLocaleInfoW 265 7ff6d9feef32-7ff6d9feef3c 262->265 266 7ff6d9fe524e-7ff6d9fe5272 GetLocaleInfoW 262->266 267 7ff6d9feef3f-7ff6d9feef49 265->267 268 7ff6d9fe5295-7ff6d9fe52b9 GetLocaleInfoW 266->268 269 7ff6d9fe5274-7ff6d9fe527a 266->269 272 7ff6d9feef61-7ff6d9feef6c 267->272 273 7ff6d9feef4b-7ff6d9feef52 267->273 270 7ff6d9fe52de-7ff6d9fe5305 GetLocaleInfoW 268->270 271 7ff6d9fe52bb-7ff6d9fe52c3 268->271 274 7ff6d9fe5280-7ff6d9fe5286 269->274 275 7ff6d9fe54f7-7ff6d9fe54f9 269->275 278 7ff6d9fe5321-7ff6d9fe5343 GetLocaleInfoW 270->278 279 7ff6d9fe5307-7ff6d9fe531b 270->279 276 7ff6d9feef75-7ff6d9feef78 271->276 277 7ff6d9fe52c9-7ff6d9fe52d7 271->277 272->276 273->272 280 7ff6d9feef54-7ff6d9feef5f 273->280 274->275 281 7ff6d9fe528c-7ff6d9fe528f 274->281 275->265 284 7ff6d9feef7a-7ff6d9feef7d 276->284 285 7ff6d9feef99-7ff6d9feefa3 276->285 277->270 282 7ff6d9feefaf-7ff6d9feefb9 278->282 283 7ff6d9fe5349-7ff6d9fe536e GetLocaleInfoW 278->283 279->278 280->267 280->272 281->268 286 7ff6d9feefbc-7ff6d9feefc6 282->286 287 7ff6d9feeff2-7ff6d9feeffc 283->287 288 7ff6d9fe5374-7ff6d9fe5396 GetLocaleInfoW 283->288 284->270 289 7ff6d9feef83-7ff6d9feef8d 284->289 285->282 290 7ff6d9feefde-7ff6d9feefe9 286->290 291 7ff6d9feefc8-7ff6d9feefcf 286->291 292 7ff6d9feefff-7ff6d9fef009 287->292 293 7ff6d9fef035-7ff6d9fef03f 288->293 294 7ff6d9fe539c-7ff6d9fe53be GetLocaleInfoW 288->294 289->285 290->287 291->290 295 7ff6d9feefd1-7ff6d9feefdc 291->295 296 7ff6d9fef021-7ff6d9fef02c 292->296 297 7ff6d9fef00b-7ff6d9fef012 292->297 300 7ff6d9fef042-7ff6d9fef04c 293->300 298 7ff6d9fe53c4-7ff6d9fe53e6 GetLocaleInfoW 294->298 299 7ff6d9fef078-7ff6d9fef082 294->299 295->286 295->290 296->293 297->296 302 7ff6d9fef014-7ff6d9fef01f 297->302 303 7ff6d9fef0bb-7ff6d9fef0c5 298->303 304 7ff6d9fe53ec-7ff6d9fe540e GetLocaleInfoW 298->304 301 7ff6d9fef085-7ff6d9fef08f 299->301 305 7ff6d9fef064-7ff6d9fef06f 300->305 306 7ff6d9fef04e-7ff6d9fef055 300->306 307 7ff6d9fef091-7ff6d9fef098 301->307 308 7ff6d9fef0a7-7ff6d9fef0b2 301->308 302->292 302->296 309 7ff6d9fef0c8-7ff6d9fef0d2 303->309 310 7ff6d9fe5414-7ff6d9fe5436 GetLocaleInfoW 304->310 311 7ff6d9fef0fe-7ff6d9fef108 304->311 305->299 306->305 312 7ff6d9fef057-7ff6d9fef062 306->312 307->308 313 7ff6d9fef09a-7ff6d9fef0a5 307->313 308->303 314 7ff6d9fef0d4-7ff6d9fef0db 309->314 315 7ff6d9fef0ea-7ff6d9fef0f5 309->315 316 7ff6d9fef141-7ff6d9fef14b 310->316 317 7ff6d9fe543c-7ff6d9fe545e GetLocaleInfoW 310->317 318 7ff6d9fef10b-7ff6d9fef115 311->318 312->300 312->305 313->301 313->308 314->315 322 7ff6d9fef0dd-7ff6d9fef0e8 314->322 315->311 321 7ff6d9fef14e-7ff6d9fef158 316->321 323 7ff6d9fef184-7ff6d9fef18b 317->323 324 7ff6d9fe5464-7ff6d9fe5486 GetLocaleInfoW 317->324 319 7ff6d9fef12d-7ff6d9fef138 318->319 320 7ff6d9fef117-7ff6d9fef11e 318->320 319->316 320->319 325 7ff6d9fef120-7ff6d9fef12b 320->325 326 7ff6d9fef170-7ff6d9fef17b 321->326 327 7ff6d9fef15a-7ff6d9fef161 321->327 322->309 322->315 328 7ff6d9fef18e-7ff6d9fef198 323->328 329 7ff6d9fef1c4-7ff6d9fef1ce 324->329 330 7ff6d9fe548c-7ff6d9fe54ae GetLocaleInfoW 324->330 325->318 325->319 326->323 327->326 332 7ff6d9fef163-7ff6d9fef16e 327->332 333 7ff6d9fef1b0-7ff6d9fef1bb 328->333 334 7ff6d9fef19a-7ff6d9fef1a1 328->334 331 7ff6d9fef1d1-7ff6d9fef1db 329->331 335 7ff6d9fe54b4-7ff6d9fe54f5 setlocale call 7ff6d9fe8f80 330->335 336 7ff6d9fef207-7ff6d9fef20e 330->336 338 7ff6d9fef1f3-7ff6d9fef1fe 331->338 339 7ff6d9fef1dd-7ff6d9fef1e4 331->339 332->321 332->326 333->329 334->333 341 7ff6d9fef1a3-7ff6d9fef1ae 334->341 340 7ff6d9fef211-7ff6d9fef21b 336->340 338->336 339->338 343 7ff6d9fef1e6-7ff6d9fef1f1 339->343 344 7ff6d9fef233-7ff6d9fef23e 340->344 345 7ff6d9fef21d-7ff6d9fef224 340->345 341->328 341->333 343->331 343->338 345->344 346 7ff6d9fef226-7ff6d9fef231 345->346 346->340 346->344
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: InfoLocale$DefaultLangUsersetlocale
    • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
    • API String ID: 2492766124-2236139042
    • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
    • Instruction ID: 369cadbb061277245308cd1200011b1c99fe68374efd7ffb69f29343cb88f128
    • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
    • Instruction Fuzzy Hash: B1F15926B0874386EF218F11E9502BD66A5BF49B84F94813BCA0DC77A5EF3CE925C314
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 347 7ff6d9fe5554-7ff6d9fe55b9 call 7ff6d9fea640 350 7ff6d9fe55bc-7ff6d9fe55e8 RegOpenKeyExW 347->350 351 7ff6d9fe55ee-7ff6d9fe5631 RegQueryValueExW 350->351 352 7ff6d9fe5887-7ff6d9fe588e 350->352 353 7ff6d9fef248-7ff6d9fef24d 351->353 354 7ff6d9fe5637-7ff6d9fe5675 RegQueryValueExW 351->354 352->350 355 7ff6d9fe5894-7ff6d9fe58db time srand call 7ff6d9fe8f80 352->355 359 7ff6d9fef260-7ff6d9fef265 353->359 360 7ff6d9fef24f-7ff6d9fef25b 353->360 356 7ff6d9fe568e-7ff6d9fe56cc RegQueryValueExW 354->356 357 7ff6d9fe5677-7ff6d9fe567c 354->357 364 7ff6d9fe56d2-7ff6d9fe5710 RegQueryValueExW 356->364 365 7ff6d9fef2b6-7ff6d9fef2bb 356->365 362 7ff6d9fe5682-7ff6d9fe5687 357->362 363 7ff6d9fef28b-7ff6d9fef290 357->363 359->354 361 7ff6d9fef26b-7ff6d9fef286 _wtol 359->361 360->354 361->354 362->356 363->356 367 7ff6d9fef296-7ff6d9fef2b1 _wtol 363->367 370 7ff6d9fe5712-7ff6d9fe5717 364->370 371 7ff6d9fe5729-7ff6d9fe5767 RegQueryValueExW 364->371 368 7ff6d9fef2ce-7ff6d9fef2d3 365->368 369 7ff6d9fef2bd-7ff6d9fef2c9 365->369 367->356 368->364 372 7ff6d9fef2d9-7ff6d9fef2f4 _wtol 368->372 369->364 373 7ff6d9fe571d-7ff6d9fe5722 370->373 374 7ff6d9fef2f9-7ff6d9fef2fe 370->374 375 7ff6d9fe579f-7ff6d9fe57dd RegQueryValueExW 371->375 376 7ff6d9fe5769-7ff6d9fe576e 371->376 372->364 373->371 374->371 379 7ff6d9fef304-7ff6d9fef31a wcstol 374->379 377 7ff6d9fe57e3-7ff6d9fe57e8 375->377 378 7ff6d9fef3a9 375->378 380 7ff6d9fe5774-7ff6d9fe578f 376->380 381 7ff6d9fef320-7ff6d9fef325 376->381 384 7ff6d9fef363-7ff6d9fef368 377->384 385 7ff6d9fe57ee-7ff6d9fe5809 377->385 392 7ff6d9fef3b5-7ff6d9fef3b8 378->392 379->381 382 7ff6d9fe5795-7ff6d9fe5799 380->382 383 7ff6d9fef357-7ff6d9fef35e 380->383 386 7ff6d9fef34b 381->386 387 7ff6d9fef327-7ff6d9fef33f wcstol 381->387 382->375 382->383 383->375 388 7ff6d9fef38e 384->388 389 7ff6d9fef36a-7ff6d9fef382 wcstol 384->389 390 7ff6d9fe580f-7ff6d9fe5813 385->390 391 7ff6d9fef39a-7ff6d9fef39d 385->391 386->383 387->386 388->391 389->388 390->391 393 7ff6d9fe5819-7ff6d9fe5823 390->393 391->378 394 7ff6d9fef3be-7ff6d9fef3c5 392->394 395 7ff6d9fe582c 392->395 393->392 396 7ff6d9fe5829 393->396 397 7ff6d9fe5832-7ff6d9fe5870 RegQueryValueExW 394->397 395->397 398 7ff6d9fef3ca-7ff6d9fef3d1 395->398 396->395 399 7ff6d9fef3dd-7ff6d9fef3e2 397->399 400 7ff6d9fe5876-7ff6d9fe5882 RegCloseKey 397->400 398->399 401 7ff6d9fef3e4-7ff6d9fef412 ExpandEnvironmentStringsW 399->401 402 7ff6d9fef433-7ff6d9fef439 399->402 400->352 403 7ff6d9fef414-7ff6d9fef426 call 7ff6d9fe13e0 401->403 404 7ff6d9fef428 401->404 402->400 405 7ff6d9fef43f-7ff6d9fef44c call 7ff6d9fdb900 402->405 407 7ff6d9fef42e 403->407 404->407 405->400 407->402
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: QueryValue$CloseOpensrandtime
    • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
    • API String ID: 145004033-3846321370
    • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
    • Instruction ID: 2bb4ce7fa9d54fd7645c74e3195a5a5ddbd4c20d450c5995a9f4a5010777884e
    • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
    • Instruction Fuzzy Hash: B5E16D3262DA82C6EB608F51E4505BEB7A4FB89748F805137EA8EC3A54DF7CD564CB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 729 7ff6d9fe37d8-7ff6d9fe3887 GetCurrentThreadId OpenThread call 7ff6d9fe04f4 HeapSetInformation RegOpenKeyExW 732 7ff6d9fe388d-7ff6d9fe38eb call 7ff6d9fe5920 GetConsoleOutputCP GetCPInfo 729->732 733 7ff6d9fee9f8-7ff6d9feea3b RegQueryValueExW RegCloseKey 729->733 736 7ff6d9feea41-7ff6d9feea59 GetThreadLocale 732->736 737 7ff6d9fe38f1-7ff6d9fe3913 memset 732->737 733->736 738 7ff6d9feea74-7ff6d9feea77 736->738 739 7ff6d9feea5b-7ff6d9feea67 736->739 740 7ff6d9feeaa5 737->740 741 7ff6d9fe3919-7ff6d9fe3935 call 7ff6d9fe4d5c 737->741 742 7ff6d9feea94-7ff6d9feea96 738->742 743 7ff6d9feea79-7ff6d9feea7d 738->743 739->738 745 7ff6d9feeaa8-7ff6d9feeab4 740->745 749 7ff6d9feeae2-7ff6d9feeaff call 7ff6d9fd3240 call 7ff6d9ff8530 call 7ff6d9fe4c1c 741->749 750 7ff6d9fe393b-7ff6d9fe3942 741->750 742->740 743->742 744 7ff6d9feea7f-7ff6d9feea89 743->744 744->742 745->741 747 7ff6d9feeaba-7ff6d9feeac3 745->747 751 7ff6d9feeacb-7ff6d9feeace 747->751 757 7ff6d9feeb00-7ff6d9feeb0d 749->757 752 7ff6d9feeb27-7ff6d9feeb40 _setjmp 750->752 753 7ff6d9fe3948-7ff6d9fe3962 _setjmp 750->753 754 7ff6d9feeac5-7ff6d9feeac9 751->754 755 7ff6d9feead0-7ff6d9feeadb 751->755 759 7ff6d9fe39fe-7ff6d9fe3a05 call 7ff6d9fe4c1c 752->759 760 7ff6d9feeb46-7ff6d9feeb49 752->760 753->757 758 7ff6d9fe3968-7ff6d9fe396d 753->758 754->751 755->745 761 7ff6d9feeadd 755->761 770 7ff6d9feeb15-7ff6d9feeb1f call 7ff6d9fe4c1c 757->770 763 7ff6d9fe396f 758->763 764 7ff6d9fe39b9-7ff6d9fe39bb 758->764 759->733 766 7ff6d9feeb4b-7ff6d9feeb65 call 7ff6d9fd3240 call 7ff6d9ff8530 call 7ff6d9fe4c1c 760->766 767 7ff6d9feeb66-7ff6d9feeb6f call 7ff6d9fe01b8 760->767 761->741 771 7ff6d9fe3972-7ff6d9fe397d 763->771 774 7ff6d9feeb20 764->774 775 7ff6d9fe39c1-7ff6d9fe39c8 call 7ff6d9fe4c1c 764->775 766->767 786 7ff6d9feeb71-7ff6d9feeb82 _setmode 767->786 787 7ff6d9feeb87-7ff6d9feeb89 call 7ff6d9fe86f0 767->787 770->774 780 7ff6d9fe397f-7ff6d9fe3984 771->780 781 7ff6d9fe39c9-7ff6d9fe39de call 7ff6d9fddf60 771->781 774->752 775->781 780->771 789 7ff6d9fe3986-7ff6d9fe39b3 call 7ff6d9fe0580 GetConsoleOutputCP GetCPInfo call 7ff6d9fe04f4 780->789 781->770 796 7ff6d9fe39e4-7ff6d9fe39e8 781->796 786->787 797 7ff6d9feeb8e-7ff6d9feeba1 call 7ff6d9fe58e4 call 7ff6d9fddf60 787->797 789->764 796->759 801 7ff6d9fe39ea-7ff6d9fe39fc call 7ff6d9fdbe00 796->801 809 7ff6d9feeba6-7ff6d9feebad 797->809 801->780 809->797 810 7ff6d9feebaf-7ff6d9feebb3 809->810 810->759 811 7ff6d9feebb9-7ff6d9feec24 call 7ff6d9fe58e4 GetConsoleOutputCP GetCPInfo call 7ff6d9fe04f4 call 7ff6d9fdbe00 call 7ff6d9fe0580 GetConsoleOutputCP GetCPInfo call 7ff6d9fe04f4 810->811 811->797
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
    • API String ID: 2624720099-1920437939
    • Opcode ID: f7d7d08620b0a20aad27d36e676bcdea795ae43db43436ca2b5da1582b61596f
    • Instruction ID: 9df26939838319e12afdfd380ca7149d6104a0f8e743bce7ce6c7a6fca048237
    • Opcode Fuzzy Hash: f7d7d08620b0a20aad27d36e676bcdea795ae43db43436ca2b5da1582b61596f
    • Instruction Fuzzy Hash: 75C1BA31E0C6438AF724AF65A8541BD7AA1FF49758F14817BEA0EC77A2DF3CA4648700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 987 7ff6d9fd32b0-7ff6d9fd32ea call 7ff6d9fe3578 990 7ff6d9fd32f0-7ff6d9fd3317 _get_osfhandle GetConsoleScreenBufferInfo 987->990 991 7ff6d9fd33d1-7ff6d9fd33d3 987->991 990->991 993 7ff6d9fd331d-7ff6d9fd3329 990->993 992 7ff6d9fd332c-7ff6d9fd334b call 7ff6d9fd3410 991->992 996 7ff6d9fd3405-7ff6d9fd3408 992->996 997 7ff6d9fd3351-7ff6d9fd3359 992->997 993->992 998 7ff6d9fd33a8-7ff6d9fd33aa 996->998 999 7ff6d9fd3498-7ff6d9fd349b 996->999 1000 7ff6d9fd335b-7ff6d9fd3362 997->1000 1001 7ff6d9fd33d8-7ff6d9fd33ed call 7ff6d9fe36ec 997->1001 1006 7ff6d9ff11f5-7ff6d9ff11f9 998->1006 1007 7ff6d9fd33b0 998->1007 1002 7ff6d9fd34b4-7ff6d9fd34be 999->1002 1003 7ff6d9fd349d-7ff6d9fd34b2 wcschr 999->1003 1004 7ff6d9ff1048-7ff6d9ff1051 1000->1004 1005 7ff6d9fd3368-7ff6d9fd3392 WriteConsoleW 1000->1005 1019 7ff6d9fd33f3-7ff6d9fd33fe 1001->1019 1020 7ff6d9ff11df-7ff6d9ff11f0 GetLastError 1001->1020 1011 7ff6d9fd34c4-7ff6d9fd34ed FormatMessageW 1002->1011 1012 7ff6d9ff121d-7ff6d9ff1249 GetProcessHeap HeapAlloc 1002->1012 1003->1002 1010 7ff6d9fd351b-7ff6d9fd352a 1003->1010 1017 7ff6d9ff1193-7ff6d9ff11a0 1004->1017 1018 7ff6d9ff1057-7ff6d9ff1073 GetConsoleScreenBufferInfo 1004->1018 1013 7ff6d9ff11cc-7ff6d9ff11da GetLastError 1005->1013 1014 7ff6d9fd3398 1005->1014 1006->1007 1016 7ff6d9ff11ff-7ff6d9ff1209 call 7ff6d9fe4c1c 1006->1016 1015 7ff6d9fd33b2-7ff6d9fd33cf call 7ff6d9fe8f80 1007->1015 1026 7ff6d9fd3530-7ff6d9fd3532 1010->1026 1027 7ff6d9ff120a-7ff6d9ff120e 1010->1027 1024 7ff6d9fd34ef-7ff6d9fd3519 call 7ff6d9fe8f80 1011->1024 1012->1024 1031 7ff6d9ff124f-7ff6d9ff1251 1012->1031 1025 7ff6d9fd339a-7ff6d9fd33a6 1013->1025 1014->1025 1016->1027 1022 7ff6d9ff11a2-7ff6d9ff11a5 1017->1022 1023 7ff6d9ff11c1-7ff6d9ff11c4 1017->1023 1029 7ff6d9ff118d 1018->1029 1030 7ff6d9ff1079-7ff6d9ff10a2 WriteConsoleW 1018->1030 1019->1014 1034 7ff6d9fd3400 1019->1034 1020->998 1036 7ff6d9ff11bb 1022->1036 1037 7ff6d9ff11a7-7ff6d9ff11b2 1022->1037 1023->1013 1025->997 1025->998 1026->999 1027->999 1039 7ff6d9ff1214-7ff6d9ff1218 1027->1039 1029->1017 1030->1029 1041 7ff6d9ff10a8-7ff6d9ff117f GetStdHandle FlushConsoleInputBuffer GetConsoleMode SetConsoleMode _getch SetConsoleMode GetConsoleScreenBufferInfo FillConsoleOutputCharacterW SetConsoleCursorPosition 1030->1041 1032 7ff6d9ff1253 1031->1032 1033 7ff6d9ff127a-7ff6d9ff135e FormatMessageW GetProcessHeap RtlFreeHeap _ultoa GetACP call 7ff6d9fe0460 MultiByteToWideChar 1031->1033 1043 7ff6d9ff1256-7ff6d9ff1259 1032->1043 1034->1020 1036->1023 1044 7ff6d9ff11b4 1037->1044 1045 7ff6d9ff11b6-7ff6d9ff11b9 1037->1045 1039->999 1041->1029 1042 7ff6d9ff1181-7ff6d9ff1188 call 7ff6d9ffbde4 1041->1042 1042->1015 1048 7ff6d9ff125b-7ff6d9ff1265 1043->1048 1049 7ff6d9ff1267 1043->1049 1044->1045 1045->1022 1045->1036 1052 7ff6d9ff126e-7ff6d9ff1278 1048->1052 1049->1052 1052->1033 1052->1043
    APIs
      • Part of subcall function 00007FF6D9FE3578: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3584
      • Part of subcall function 00007FF6D9FE3578: GetFileType.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE359C
      • Part of subcall function 00007FF6D9FE3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35C3
      • Part of subcall function 00007FF6D9FE3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35D9
      • Part of subcall function 00007FF6D9FE3578: GetConsoleMode.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35ED
      • Part of subcall function 00007FF6D9FE3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE3602
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FD32F3
    • GetConsoleScreenBufferInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF6D9FD32A4), ref: 00007FF6D9FD3309
    • WriteConsoleW.KERNELBASE ref: 00007FF6D9FD3384
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FF11DF
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
    • String ID:
    • API String ID: 611521582-0
    • Opcode ID: 48034758720484ce4b30563db4a16b18c5906bae599308cacbd019090a686e8f
    • Instruction ID: 2f57ad4c3ec7affdb3a5159abc55dcf0b97e4eb8b4923836f061b57101dc7bde
    • Opcode Fuzzy Hash: 48034758720484ce4b30563db4a16b18c5906bae599308cacbd019090a686e8f
    • Instruction Fuzzy Hash: 76A18D22F086138AFB248F61A8442BD7AA5FF89B59F449136CE0EC7795DF7CA459C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
    • String ID: $Application$System
    • API String ID: 3538039442-1881496484
    • Opcode ID: daa3c9530b8b938baf5fb889163c7e181f5423a1c9033fa4c42bef87fdf31ece
    • Instruction ID: 87c33eef0beee1b2c7bd416e0fa1ca9680875b617d2a920fa100cdde161389b3
    • Opcode Fuzzy Hash: daa3c9530b8b938baf5fb889163c7e181f5423a1c9033fa4c42bef87fdf31ece
    • Instruction Fuzzy Hash: 8051AB32A0CB4287EB218F16B4406BEBAA5FB89B48F459136DE4E83755DF3CD469C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1376 7ff6d9fe2978-7ff6d9fe29b6 1377 7ff6d9fe29b9-7ff6d9fe29c1 1376->1377 1377->1377 1378 7ff6d9fe29c3-7ff6d9fe29c5 1377->1378 1379 7ff6d9fee441 1378->1379 1380 7ff6d9fe29cb-7ff6d9fe29cf 1378->1380 1381 7ff6d9fe29d2-7ff6d9fe29da 1380->1381 1382 7ff6d9fe2a1e-7ff6d9fe2a3e FindFirstFileW 1381->1382 1383 7ff6d9fe29dc-7ff6d9fe29e1 1381->1383 1385 7ff6d9fee435-7ff6d9fee439 1382->1385 1386 7ff6d9fe2a44-7ff6d9fe2a5c FindClose 1382->1386 1383->1382 1384 7ff6d9fe29e3-7ff6d9fe29eb 1383->1384 1384->1381 1387 7ff6d9fe29ed-7ff6d9fe2a1c call 7ff6d9fe8f80 1384->1387 1385->1379 1388 7ff6d9fe2ae3-7ff6d9fe2ae5 1386->1388 1389 7ff6d9fe2a62-7ff6d9fe2a6e 1386->1389 1390 7ff6d9fe2aeb-7ff6d9fe2b10 _wcsnicmp 1388->1390 1391 7ff6d9fee3f7-7ff6d9fee3ff 1388->1391 1393 7ff6d9fe2a70-7ff6d9fe2a78 1389->1393 1390->1389 1394 7ff6d9fe2b16-7ff6d9fee3f1 _wcsicmp 1390->1394 1393->1393 1396 7ff6d9fe2a7a-7ff6d9fe2a8d 1393->1396 1394->1389 1394->1391 1396->1379 1397 7ff6d9fe2a93-7ff6d9fe2a97 1396->1397 1399 7ff6d9fee404-7ff6d9fee407 1397->1399 1400 7ff6d9fe2a9d-7ff6d9fe2ade memmove call 7ff6d9fe13e0 1397->1400 1402 7ff6d9fee40b-7ff6d9fee413 1399->1402 1400->1384 1402->1402 1404 7ff6d9fee415-7ff6d9fee42b memmove 1402->1404 1404->1385
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
    • Instruction ID: fe2347db9f98d27bdbf1a7418f8e994f683c2e7eff6a43dd4d57c58744f95322
    • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
    • Instruction Fuzzy Hash: 88511962B0868286EB309F15A9442BEA690FB54BE4F545232DE6EC77D1EF3CE465C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDDF60 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$FreeProcess_setjmp
    • String ID:
    • API String ID: 777023205-0
    • Opcode ID: 4d7b9ccfac645ebfd825f434598c61173767747c4fc72b71514dec63949a2a90
    • Instruction ID: ec084f497356a46115710d2c695b2629a1da20d93d688f8f7ab4217a52865837
    • Opcode Fuzzy Hash: 4d7b9ccfac645ebfd825f434598c61173767747c4fc72b71514dec63949a2a90
    • Instruction Fuzzy Hash: F051273191DA438AE6108F15A8801BDB7A4BF88B58F548577D94ECB7A2EF3CB460C741
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE88C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: OpenToken$CloseProcessThread
    • String ID:
    • API String ID: 2991381754-0
    • Opcode ID: b852a0208421dc62c7203a720914108dbe041e691bb4631683058e09142ae365
    • Instruction ID: 03dc6d094d4687aad753ac91f18482647c6aef856121e3e5e9849f5a1da03177
    • Opcode Fuzzy Hash: b852a0208421dc62c7203a720914108dbe041e691bb4631683058e09142ae365
    • Instruction Fuzzy Hash: B921A132B086838BE7109F94E4402BDB7A0EB85BA5F504537DB69C3694DF7CE868CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6D9FFC59E), ref: 00007FF6D9FD5879
      • Part of subcall function 00007FF6D9FD58D4: RegOpenKeyExW.ADVAPI32 ref: 00007FF6D9FD5903
      • Part of subcall function 00007FF6D9FD58D4: RegQueryValueExW.ADVAPI32 ref: 00007FF6D9FD5943
      • Part of subcall function 00007FF6D9FD58D4: RegCloseKey.ADVAPI32 ref: 00007FF6D9FD5956
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseOpenQueryValueVersion
    • String ID: %d.%d.%05d.%d
    • API String ID: 2996790148-3457777122
    • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
    • Instruction ID: e0227af8a805996197b73482fa86a9469f9fdd71e5481bb41f1f1f36351559e5
    • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
    • Instruction Fuzzy Hash: DEF0A062A0C3828BD3209F56B44006EBAA1FB88780F508139DA4A47B5ACF7CD528CB44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE89E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: InformationQueryToken
    • String ID:
    • API String ID: 4239771691-0
    • Opcode ID: 87357954a8523b25dda20131eda18b71b38099689d5f90fd4ce6128a3877601f
    • Instruction ID: 3f8bb3c099ba215ae97e1e98ee4d154a4450eae02ffab6991372b58df0214c3a
    • Opcode Fuzzy Hash: 87357954a8523b25dda20131eda18b71b38099689d5f90fd4ce6128a3877601f
    • Instruction Fuzzy Hash: 3C115E72A18781DBEB118F01E4003ADBBA4FB85BA5F008532DB4883694DF7DE598CB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: InformationQueryToken
    • String ID:
    • API String ID: 4239771691-0
    • Opcode ID: d8659c39f39a3ec2fcbfc3da82b894078fa87797e5da65106923171eedb6fa24
    • Instruction ID: af101f1ecc86eda3e9bca062b3ade2935f4ac3bfdda86a644324ac868857b8a9
    • Opcode Fuzzy Hash: d8659c39f39a3ec2fcbfc3da82b894078fa87797e5da65106923171eedb6fa24
    • Instruction Fuzzy Hash: BAF030B3B04B81CBD7018F65E58449CB778F744B88B55857ACB2843704DB75D9A4CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8B00 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: DelayLoadedResolve
    • String ID:
    • API String ID: 841769287-0
    • Opcode ID: 1dcf29d44bb20ea269609b542accdec4eb1f07110d6fe7f193b9314fbb93284e
    • Instruction ID: 8302c53088c062faaaeca8bfa440fcdda0197246bb8946253b43b659d22c0806
    • Opcode Fuzzy Hash: 1dcf29d44bb20ea269609b542accdec4eb1f07110d6fe7f193b9314fbb93284e
    • Instruction Fuzzy Hash: 07E0EC70D08A42D6D6209F01E8440AC7BA5FB49749F805173D94CC3335CF3CE169CB09
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 411 7ff6d9fe4d5c-7ff6d9fe4e4b InitializeCriticalSection call 7ff6d9fe58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6d9fe0580 call 7ff6d9fe4a14 call 7ff6d9fe4ad0 call 7ff6d9fe5554 GetCommandLineW 422 7ff6d9fe4e4d-7ff6d9fe4e54 411->422 422->422 423 7ff6d9fe4e56-7ff6d9fe4e61 422->423 424 7ff6d9fe51cf-7ff6d9fe51e3 call 7ff6d9fd3278 call 7ff6d9fe4c1c 423->424 425 7ff6d9fe4e67-7ff6d9fe4e7b call 7ff6d9fe2e44 423->425 430 7ff6d9fe4e81-7ff6d9fe4ec3 GetCommandLineW call 7ff6d9fe13e0 call 7ff6d9fdca40 425->430 431 7ff6d9fe51ba-7ff6d9fe51ce call 7ff6d9fd3278 call 7ff6d9fe4c1c 425->431 430->431 442 7ff6d9fe4ec9-7ff6d9fe4ee8 call 7ff6d9fe417c call 7ff6d9fe2394 430->442 431->424 446 7ff6d9fe4eed-7ff6d9fe4ef5 442->446 446->446 447 7ff6d9fe4ef7-7ff6d9fe4f1f call 7ff6d9fdaa54 446->447 450 7ff6d9fe4f95-7ff6d9fe4fee GetConsoleOutputCP GetCPInfo call 7ff6d9fe51ec GetProcessHeap HeapAlloc 447->450 451 7ff6d9fe4f21-7ff6d9fe4f30 447->451 457 7ff6d9fe5012-7ff6d9fe5018 450->457 458 7ff6d9fe4ff0-7ff6d9fe5006 GetConsoleTitleW 450->458 451->450 452 7ff6d9fe4f32-7ff6d9fe4f39 451->452 452->450 454 7ff6d9fe4f3b-7ff6d9fe4f77 call 7ff6d9fd3278 GetWindowsDirectoryW 452->454 464 7ff6d9fe51b1-7ff6d9fe51b9 call 7ff6d9fe4c1c 454->464 465 7ff6d9fe4f7d-7ff6d9fe4f90 call 7ff6d9fe3c24 454->465 459 7ff6d9fe507a-7ff6d9fe507e 457->459 460 7ff6d9fe501a-7ff6d9fe5024 call 7ff6d9fe3578 457->460 458->457 462 7ff6d9fe5008-7ff6d9fe500f 458->462 466 7ff6d9fe5080-7ff6d9fe50b3 call 7ff6d9ffb89c call 7ff6d9fd586c call 7ff6d9fd3240 call 7ff6d9fe3448 459->466 467 7ff6d9fe50eb-7ff6d9fe5161 GetModuleHandleW GetProcAddress * 3 459->467 460->459 474 7ff6d9fe5026-7ff6d9fe5030 460->474 462->457 464->431 465->450 492 7ff6d9fe50d2-7ff6d9fe50d7 call 7ff6d9fd3278 466->492 493 7ff6d9fe50b5-7ff6d9fe50cb call 7ff6d9fe3448 * 2 466->493 472 7ff6d9fe5163-7ff6d9fe5167 467->472 473 7ff6d9fe516f 467->473 472->473 477 7ff6d9fe5169-7ff6d9fe516d 472->477 478 7ff6d9fe5172-7ff6d9fe51af free call 7ff6d9fe8f80 473->478 480 7ff6d9fe5032-7ff6d9fe5059 GetStdHandle GetConsoleScreenBufferInfo 474->480 481 7ff6d9fe5075 call 7ff6d9ffcff0 474->481 477->473 477->478 484 7ff6d9fe505b-7ff6d9fe5067 480->484 485 7ff6d9fe5069-7ff6d9fe5073 480->485 481->459 484->459 485->459 485->481 497 7ff6d9fe50dc-7ff6d9fe50e6 GlobalFree 492->497 499 7ff6d9fe50d0 493->499 497->467 499->497
    APIs
    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4D9A
      • Part of subcall function 00007FF6D9FE58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6D9FFC6DB), ref: 00007FF6D9FE58EF
    • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4DBB
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FE4DCA
    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4DE0
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FE4DEE
    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4E04
      • Part of subcall function 00007FF6D9FE0580: _get_osfhandle.MSVCRT ref: 00007FF6D9FE0589
      • Part of subcall function 00007FF6D9FE0580: SetConsoleMode.KERNELBASE ref: 00007FF6D9FE059E
      • Part of subcall function 00007FF6D9FE0580: _get_osfhandle.MSVCRT ref: 00007FF6D9FE05AF
      • Part of subcall function 00007FF6D9FE0580: GetConsoleMode.KERNELBASE ref: 00007FF6D9FE05C5
      • Part of subcall function 00007FF6D9FE0580: _get_osfhandle.MSVCRT ref: 00007FF6D9FE05EF
      • Part of subcall function 00007FF6D9FE0580: GetConsoleMode.KERNELBASE ref: 00007FF6D9FE0605
      • Part of subcall function 00007FF6D9FE0580: _get_osfhandle.MSVCRT ref: 00007FF6D9FE0632
      • Part of subcall function 00007FF6D9FE0580: SetConsoleMode.KERNELBASE ref: 00007FF6D9FE0647
      • Part of subcall function 00007FF6D9FE4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A28
      • Part of subcall function 00007FF6D9FE4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A66
      • Part of subcall function 00007FF6D9FE4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A7D
      • Part of subcall function 00007FF6D9FE4A14: memmove.MSVCRT(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A9A
      • Part of subcall function 00007FF6D9FE4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4AA2
      • Part of subcall function 00007FF6D9FE4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FE4AD6
      • Part of subcall function 00007FF6D9FE4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FE4AEF
      • Part of subcall function 00007FF6D9FE5554: RegOpenKeyExW.ADVAPI32(?,00000000,?,00000001,?,00007FF6D9FE4E35), ref: 00007FF6D9FE55DA
      • Part of subcall function 00007FF6D9FE5554: RegQueryValueExW.ADVAPI32 ref: 00007FF6D9FE5623
      • Part of subcall function 00007FF6D9FE5554: RegQueryValueExW.ADVAPI32 ref: 00007FF6D9FE5667
      • Part of subcall function 00007FF6D9FE5554: RegQueryValueExW.ADVAPI32 ref: 00007FF6D9FE56BE
      • Part of subcall function 00007FF6D9FE5554: RegQueryValueExW.ADVAPI32 ref: 00007FF6D9FE5702
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4E35
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4E81
    • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4F69
    • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4F95
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4FB0
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4FC1
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4FD8
    • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE4FF8
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE5037
    • GetConsoleScreenBufferInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE504B
    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE50DF
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE50F2
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE510F
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE5130
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE514A
    • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6D9FE5175
      • Part of subcall function 00007FF6D9FE3578: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3584
      • Part of subcall function 00007FF6D9FE3578: GetFileType.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE359C
      • Part of subcall function 00007FF6D9FE3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35C3
      • Part of subcall function 00007FF6D9FE3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35D9
      • Part of subcall function 00007FF6D9FE3578: GetConsoleMode.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35ED
      • Part of subcall function 00007FF6D9FE3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE3602
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
    • API String ID: 3614140610-3021193919
    • Opcode ID: 172b698400a4144ef5224189bd2f7d65852c6c10f3c357a529f948fe7e5f60a5
    • Instruction ID: b8eacc52f2c8ee91c8627daac3f883abec7e3abb415eb4e20bcfe8ca5c361871
    • Opcode Fuzzy Hash: 172b698400a4144ef5224189bd2f7d65852c6c10f3c357a529f948fe7e5f60a5
    • Instruction Fuzzy Hash: 76C1AE21A0CB4396EA14AF51E8541BD77A4FF8AB99F448177DA0EC77A2DF3CE4658300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDF8C0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 380COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 500 7ff6d9fdf8c0-7ff6d9fdf92e EnterCriticalSection LeaveCriticalSection 501 7ff6d9fdf934-7ff6d9fdf937 500->501 502 7ff6d9fdfb76-7ff6d9fdfb7b 500->502 505 7ff6d9fed224-7ff6d9fed228 501->505 506 7ff6d9fdf93d-7ff6d9fdf944 501->506 503 7ff6d9fdfb81-7ff6d9fdfba7 call 7ff6d9fe13e0 502->503 504 7ff6d9fed216-7ff6d9fed219 502->504 518 7ff6d9fdfbb0-7ff6d9fdfbba 503->518 504->501 507 7ff6d9fed21f 504->507 509 7ff6d9fed23c call 7ff6d9ffbfec 505->509 510 7ff6d9fed22a-7ff6d9fed236 call 7ff6d9fd3240 505->510 506->505 511 7ff6d9fdf94a-7ff6d9fdf98e EnterCriticalSection LeaveCriticalSection 506->511 512 7ff6d9fdfb46-7ff6d9fdfb74 call 7ff6d9fdfc30 507->512 520 7ff6d9fed241 509->520 510->509 516 7ff6d9fdf994-7ff6d9fdf9be _get_osfhandle call 7ff6d9fe0010 511->516 517 7ff6d9fed250-7ff6d9fed259 call 7ff6d9fff318 511->517 528 7ff6d9fdf9c4-7ff6d9fdf9c6 516->528 529 7ff6d9fed3fa-7ff6d9fed441 EnterCriticalSection LeaveCriticalSection longjmp 516->529 530 7ff6d9fed381-7ff6d9fed385 517->530 531 7ff6d9fed25f-7ff6d9fed268 call 7ff6d9fe01b8 517->531 518->518 525 7ff6d9fdfbbc-7ff6d9fdfbc7 518->525 520->517 525->512 532 7ff6d9fdf9cc-7ff6d9fdf9d1 528->532 533 7ff6d9fdfbe6-7ff6d9fdfbf8 GetLastError 528->533 534 7ff6d9fed442-7ff6d9fed44b call 7ff6d9fe01b8 529->534 535 7ff6d9fed388-7ff6d9fed3b4 _get_osfhandle call 7ff6d9fe0010 530->535 542 7ff6d9fed26a-7ff6d9fed271 531->542 543 7ff6d9fed277-7ff6d9fed281 531->543 532->533 538 7ff6d9fdf9d7 532->538 541 7ff6d9fdfbfc-7ff6d9fdfbff 533->541 550 7ff6d9fed46f-7ff6d9fed48c call 7ff6d9ffe9b4 longjmp 534->550 551 7ff6d9fed44d-7ff6d9fed454 534->551 552 7ff6d9fed3cd-7ff6d9fed3d1 535->552 553 7ff6d9fed3b6-7ff6d9fed3c7 GetLastError 535->553 544 7ff6d9fdf9db-7ff6d9fdf9ea 538->544 542->530 542->543 543->516 547 7ff6d9fed287-7ff6d9fed290 call 7ff6d9fe01b8 543->547 548 7ff6d9fdfc04-7ff6d9fdfc07 544->548 549 7ff6d9fdf9f0-7ff6d9fdf9f7 544->549 567 7ff6d9fed375-7ff6d9fed37c 547->567 568 7ff6d9fed296-7ff6d9fed29d 547->568 548->549 559 7ff6d9fdfc0d 548->559 555 7ff6d9fdfa06-7ff6d9fdfa10 549->555 556 7ff6d9fdf9f9-7ff6d9fdf9fb 549->556 569 7ff6d9fed48d-7ff6d9fed494 550->569 551->550 557 7ff6d9fed456-7ff6d9fed46a 551->557 552->541 560 7ff6d9fed3d7-7ff6d9fed3e7 552->560 553->541 553->552 563 7ff6d9fed499-7ff6d9fed49d 555->563 564 7ff6d9fdfa16-7ff6d9fdfa1e 555->564 556->555 562 7ff6d9fdf9fd-7ff6d9fdfa00 556->562 557->555 559->534 560->544 566 7ff6d9fed3ed-7ff6d9fed3f3 560->566 562->555 562->569 575 7ff6d9fed4a9-7ff6d9fed4ad 563->575 570 7ff6d9fdfa21-7ff6d9fdfa2b 564->570 566->535 571 7ff6d9fed3f5 566->571 567->516 568->567 572 7ff6d9fed2a3-7ff6d9fed2aa 568->572 569->555 573 7ff6d9fdfa2d-7ff6d9fdfa34 570->573 574 7ff6d9fdfa47-7ff6d9fdfa4a 570->574 571->544 576 7ff6d9fed2ac-7ff6d9fed2c2 call 7ff6d9ffbf2c 572->576 577 7ff6d9fed2c7-7ff6d9fed316 EnterCriticalSection LeaveCriticalSection _get_osfhandle call 7ff6d9ff7f00 572->577 573->574 578 7ff6d9fdfa36-7ff6d9fdfa40 573->578 574->575 579 7ff6d9fdfa50-7ff6d9fdfa62 574->579 576->541 586 7ff6d9fed31b-7ff6d9fed31d 577->586 578->570 582 7ff6d9fdfa42 578->582 583 7ff6d9fdfa65-7ff6d9fdfa6d 579->583 582->575 583->583 584 7ff6d9fdfa6f-7ff6d9fdfa7b 583->584 587 7ff6d9fdfab3-7ff6d9fdfabd 584->587 588 7ff6d9fdfa7d 584->588 586->533 589 7ff6d9fed323-7ff6d9fed328 586->589 591 7ff6d9fdfac0-7ff6d9fdfac8 587->591 590 7ff6d9fdfa80-7ff6d9fdfa9d wcschr 588->590 589->538 592 7ff6d9fed32e-7ff6d9fed346 GetLastError 589->592 595 7ff6d9fdfa9f-7ff6d9fdfaa7 590->595 596 7ff6d9fdfaa9-7ff6d9fdfaac 590->596 591->591 597 7ff6d9fdfaca-7ff6d9fdfacd 591->597 593 7ff6d9fed368-7ff6d9fed370 call 7ff6d9fe3448 592->593 594 7ff6d9fed348-7ff6d9fed367 call 7ff6d9fe3448 longjmp 592->594 593->538 594->593 595->590 595->596 596->587 600 7ff6d9fdfad3-7ff6d9fdfae0 597->600 601 7ff6d9fdfbcc-7ff6d9fdfbce 597->601 605 7ff6d9fed52a-7ff6d9fed52e 600->605 606 7ff6d9fdfae6-7ff6d9fdfaea 600->606 601->600 604 7ff6d9fdfbd4-7ff6d9fdfbdb 601->604 604->512 607 7ff6d9fdfbe1-7ff6d9fed4b9 604->607 608 7ff6d9fdfc12-7ff6d9fdfc1a 606->608 609 7ff6d9fdfaf0-7ff6d9fdfb0c call 7ff6d9fe01b8 606->609 613 7ff6d9fed4ef-7ff6d9fed502 call 7ff6d9fd3278 607->613 614 7ff6d9fed4bb-7ff6d9fed4c2 607->614 608->504 609->512 616 7ff6d9fdfb0e-7ff6d9fdfb40 _get_osfhandle SetFilePointer 609->616 626 7ff6d9fed514-7ff6d9fed529 longjmp 613->626 627 7ff6d9fed504-7ff6d9fed50d call 7ff6d9fe01b8 613->627 617 7ff6d9fed4c4-7ff6d9fed4d8 call 7ff6d9ffbfec call 7ff6d9fe3448 * 2 614->617 618 7ff6d9fed4dd-7ff6d9fed4ee call 7ff6d9fd3278 call 7ff6d9ffe91c 614->618 616->512 622 7ff6d9fed533-7ff6d9fed53a 616->622 617->618 618->613 622->512 624 7ff6d9fed540-7ff6d9fed548 622->624 624->624 629 7ff6d9fed54a-7ff6d9fed556 call 7ff6d9fe34a0 624->629 626->605 627->626 636 7ff6d9fed50f call 7ff6d9fff4a8 627->636 629->512 636->626
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6D9FDF52A,00000000,00000000,?,00000000,?,00007FF6D9FDE626,?,?,00000000,00007FF6D9FE1F69), ref: 00007FF6D9FDF8DE
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FDF8FB
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FDF951
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FDF96B
    • wcschr.MSVCRT ref: 00007FF6D9FDFA8E
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FDFB14
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FDFB2D
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FDFBEA
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FDF996
      • Part of subcall function 00007FF6D9FE0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6D9FF849D,?,?,?,00007FF6D9FFF0C7), ref: 00007FF6D9FE0045
      • Part of subcall function 00007FF6D9FE0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6D9FFF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FE0071
      • Part of subcall function 00007FF6D9FE0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE0092
      • Part of subcall function 00007FF6D9FE0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6D9FE00A7
      • Part of subcall function 00007FF6D9FE0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6D9FE0181
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FED401
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FED41B
    • longjmp.MSVCRT(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FED435
    • longjmp.MSVCRT(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FED480
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
    • String ID: =,;
    • API String ID: 3964947564-1539845467
    • Opcode ID: 98315cab970932119a6691ce4b7dab6fc313552480302974d3843cb62566fdd6
    • Instruction ID: f713d15e1bdb617a681d33891e7c0c6cb456349bcc6ad4a23d73b6eb413ef5e7
    • Opcode Fuzzy Hash: 98315cab970932119a6691ce4b7dab6fc313552480302974d3843cb62566fdd6
    • Instruction Fuzzy Hash: 13026921A1D6038AEB289F21E8405BD76A5FF89B58F544277D91EC77E6EF3CA424C301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 640 7ff6d9fe3c24-7ff6d9fe3c61 641 7ff6d9feec5a-7ff6d9feec5f 640->641 642 7ff6d9fe3c67-7ff6d9fe3c99 call 7ff6d9fdaf14 call 7ff6d9fdca40 640->642 641->642 644 7ff6d9feec65-7ff6d9feec6a 641->644 651 7ff6d9fe3c9f-7ff6d9fe3cb2 call 7ff6d9fdb900 642->651 652 7ff6d9feec97-7ff6d9feeca1 call 7ff6d9fe855c 642->652 646 7ff6d9fe412e-7ff6d9fe415b call 7ff6d9fe8f80 644->646 651->652 657 7ff6d9fe3cb8-7ff6d9fe3cbc 651->657 658 7ff6d9fe3cbf-7ff6d9fe3cc7 657->658 658->658 659 7ff6d9fe3cc9-7ff6d9fe3ccd 658->659 660 7ff6d9fe3cd2-7ff6d9fe3cd8 659->660 661 7ff6d9fe3ce5-7ff6d9fe3d62 GetCurrentDirectoryW towupper iswalpha 660->661 662 7ff6d9fe3cda-7ff6d9fe3cdf 660->662 664 7ff6d9fe3fb8 661->664 665 7ff6d9fe3d68-7ff6d9fe3d6c 661->665 662->661 663 7ff6d9fe3faa-7ff6d9fe3fb3 662->663 663->660 668 7ff6d9fe3fc6-7ff6d9fe3fec GetLastError call 7ff6d9fe855c call 7ff6d9fea5d6 664->668 665->664 666 7ff6d9fe3d72-7ff6d9fe3dcd towupper GetFullPathNameW 665->666 667 7ff6d9fe3dd3-7ff6d9fe3ddd 666->667 666->668 670 7ff6d9fe3de3-7ff6d9fe3dfb 667->670 671 7ff6d9fe3ff1-7ff6d9fe4007 call 7ff6d9fe855c _local_unwind 667->671 668->671 673 7ff6d9fe40fe-7ff6d9fe4119 call 7ff6d9fe855c _local_unwind 670->673 674 7ff6d9fe3e01-7ff6d9fe3e11 670->674 681 7ff6d9fe400c-7ff6d9fe4022 GetLastError 671->681 686 7ff6d9fe411a-7ff6d9fe412c call 7ff6d9fdff70 call 7ff6d9fe855c 673->686 674->673 677 7ff6d9fe3e17-7ff6d9fe3e28 674->677 680 7ff6d9fe3e2c-7ff6d9fe3e34 677->680 680->680 683 7ff6d9fe3e36-7ff6d9fe3e3f 680->683 684 7ff6d9fe3e95-7ff6d9fe3e9c 681->684 685 7ff6d9fe4028-7ff6d9fe402b 681->685 687 7ff6d9fe3e42-7ff6d9fe3e55 683->687 689 7ff6d9fe3ecf-7ff6d9fe3ed3 684->689 690 7ff6d9fe3e9e-7ff6d9fe3ec2 call 7ff6d9fe2978 684->690 685->684 688 7ff6d9fe4031-7ff6d9fe4047 call 7ff6d9fe855c _local_unwind 685->688 686->646 692 7ff6d9fe3e57-7ff6d9fe3e60 687->692 693 7ff6d9fe3e66-7ff6d9fe3e8f GetFileAttributesW 687->693 712 7ff6d9fe404c-7ff6d9fe4062 call 7ff6d9fe855c _local_unwind 688->712 696 7ff6d9fe3ed5-7ff6d9fe3ef7 GetFileAttributesW 689->696 697 7ff6d9fe3f08-7ff6d9fe3f0b 689->697 706 7ff6d9fe3ec7-7ff6d9fe3ec9 690->706 692->693 704 7ff6d9fe3f9d-7ff6d9fe3fa5 692->704 693->681 693->684 699 7ff6d9fe3efd-7ff6d9fe3f02 696->699 700 7ff6d9fe4067-7ff6d9fe4098 GetLastError call 7ff6d9fe855c _local_unwind 696->700 702 7ff6d9fe3f1e-7ff6d9fe3f40 SetCurrentDirectoryW 697->702 703 7ff6d9fe3f0d-7ff6d9fe3f11 697->703 699->697 707 7ff6d9fe409d-7ff6d9fe40b3 call 7ff6d9fe855c _local_unwind 699->707 700->707 710 7ff6d9fe3f46-7ff6d9fe3f69 call 7ff6d9fe498c 702->710 711 7ff6d9fe40b8-7ff6d9fe40de GetLastError call 7ff6d9fe855c _local_unwind 702->711 709 7ff6d9fe3f13-7ff6d9fe3f1c 703->709 703->710 704->687 706->689 706->712 707->711 709->702 709->710 723 7ff6d9fe40e3-7ff6d9fe40f9 call 7ff6d9fe855c _local_unwind 710->723 724 7ff6d9fe3f6f-7ff6d9fe3f98 call 7ff6d9fe417c 710->724 711->723 712->700 723->673 724->686
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
    • String ID: :
    • API String ID: 1809961153-336475711
    • Opcode ID: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
    • Instruction ID: 4bb73565df87c06928c04c001ed287bc03cae997ca7b2a028260fb3ac51a79cd
    • Opcode Fuzzy Hash: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
    • Instruction Fuzzy Hash: A0D13A26A1CB8682EA64DF15E4442BEB7A1FB84750F444137EA4EC37A5EF7CE554CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswdigitiswspacewcschr
    • String ID: ()|&=,;"$=,;$Ungetting: '%s'
    • API String ID: 1595556998-2755026540
    • Opcode ID: e96c15cb8f8de66f5ffc9bf5ec9d0c6fd0ab5971a01c0a57f8745c566a0df927
    • Instruction ID: 4e9136818544c9cc831c1565bb9a4f7ecbef8966fa0941ade080ede089e51cdc
    • Opcode Fuzzy Hash: e96c15cb8f8de66f5ffc9bf5ec9d0c6fd0ab5971a01c0a57f8745c566a0df927
    • Instruction Fuzzy Hash: 9E22BC69E2C65382FA604F12E84467E36A0BF85799F948173D98DC73E1EF3CA4718701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1055 7ff6d9fe2394-7ff6d9fe2416 memset call 7ff6d9fdca40 1058 7ff6d9fee0d2-7ff6d9fee0da call 7ff6d9fe4c1c 1055->1058 1059 7ff6d9fe241c-7ff6d9fe2453 GetModuleFileNameW call 7ff6d9fe081c 1055->1059 1064 7ff6d9fee0db-7ff6d9fee0ee call 7ff6d9fe498c 1058->1064 1059->1064 1065 7ff6d9fe2459-7ff6d9fe2468 call 7ff6d9fe081c 1059->1065 1070 7ff6d9fee0f4-7ff6d9fee107 call 7ff6d9fe498c 1064->1070 1065->1070 1071 7ff6d9fe246e-7ff6d9fe247d call 7ff6d9fe081c 1065->1071 1078 7ff6d9fee10d-7ff6d9fee123 1070->1078 1076 7ff6d9fe2483-7ff6d9fe2492 call 7ff6d9fe081c 1071->1076 1077 7ff6d9fe2516-7ff6d9fe2529 call 7ff6d9fe498c 1071->1077 1076->1078 1088 7ff6d9fe2498-7ff6d9fe24a7 call 7ff6d9fe081c 1076->1088 1077->1076 1081 7ff6d9fee125-7ff6d9fee139 wcschr 1078->1081 1082 7ff6d9fee13f-7ff6d9fee17a _wcsupr 1078->1082 1081->1082 1085 7ff6d9fee27c 1081->1085 1086 7ff6d9fee181-7ff6d9fee199 wcsrchr 1082->1086 1087 7ff6d9fee17c-7ff6d9fee17f 1082->1087 1090 7ff6d9fee283-7ff6d9fee29b call 7ff6d9fe498c 1085->1090 1089 7ff6d9fee19c 1086->1089 1087->1089 1097 7ff6d9fee2a1-7ff6d9fee2c3 _wcsicmp 1088->1097 1098 7ff6d9fe24ad-7ff6d9fe24c5 call 7ff6d9fe3c24 1088->1098 1092 7ff6d9fee1a0-7ff6d9fee1a7 1089->1092 1090->1097 1092->1092 1095 7ff6d9fee1a9-7ff6d9fee1bb 1092->1095 1099 7ff6d9fee264-7ff6d9fee277 call 7ff6d9fe1300 1095->1099 1100 7ff6d9fee1c1-7ff6d9fee1e6 1095->1100 1105 7ff6d9fe24ca-7ff6d9fe24db 1098->1105 1099->1085 1103 7ff6d9fee21a 1100->1103 1104 7ff6d9fee1e8-7ff6d9fee1f1 1100->1104 1108 7ff6d9fee21d-7ff6d9fee21f 1103->1108 1109 7ff6d9fee1f3-7ff6d9fee1f6 1104->1109 1110 7ff6d9fee201-7ff6d9fee210 1104->1110 1106 7ff6d9fe24dd-7ff6d9fe24e4 ??_V@YAXPEAX@Z 1105->1106 1107 7ff6d9fe24e9-7ff6d9fe2514 call 7ff6d9fe8f80 1105->1107 1106->1107 1108->1090 1112 7ff6d9fee221-7ff6d9fee228 1108->1112 1109->1110 1113 7ff6d9fee1f8-7ff6d9fee1ff 1109->1113 1110->1103 1114 7ff6d9fee212-7ff6d9fee218 1110->1114 1116 7ff6d9fee254-7ff6d9fee262 1112->1116 1117 7ff6d9fee22a-7ff6d9fee231 1112->1117 1113->1109 1113->1110 1114->1108 1116->1085 1118 7ff6d9fee234-7ff6d9fee237 1117->1118 1118->1116 1119 7ff6d9fee239-7ff6d9fee242 1118->1119 1119->1116 1120 7ff6d9fee244-7ff6d9fee252 1119->1120 1120->1116 1120->1118
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
    • API String ID: 2622545777-4197029667
    • Opcode ID: 8eeef2ed06c537bd9747ced6f978eb122ffaf98112ffaa52732f2f0061db8594
    • Instruction ID: 9d5e0feadc9fcb9f269b036e7d85432c27880a7e3657db90bab36913d05e9a31
    • Opcode Fuzzy Hash: 8eeef2ed06c537bd9747ced6f978eb122ffaf98112ffaa52732f2f0061db8594
    • Instruction Fuzzy Hash: A8914B62B09A8786EE259F11E8502BD63A5FF48B88F544177C94EC7696EF3CE624C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode_get_osfhandle
    • String ID: CMD.EXE
    • API String ID: 1606018815-3025314500
    • Opcode ID: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
    • Instruction ID: 7b9e9069a15d64892781e5032e6d1cdd7ae21fac08d426e2050aae044cd7c3f5
    • Opcode Fuzzy Hash: 3e686ae0276ad7ff8a78bb3c5d2715100bc0f58041da1ae85f5dc5c67167e71d
    • Instruction Fuzzy Hash: D641ED31A0D7038BE7194F15E9541BC7BA0FB8A759F4891BAC91EC33A2DF3CA4258705
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFBFEC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 444COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1158 7ff6d9ffbfec-7ff6d9ffc034 1159 7ff6d9ffc047-7ff6d9ffc04d 1158->1159 1160 7ff6d9ffc036-7ff6d9ffc042 call 7ff6d9fd3240 call 7ff6d9fe58e4 1158->1160 1161 7ff6d9ffc053-7ff6d9ffc059 1159->1161 1162 7ff6d9ffc6db-7ff6d9ffc70c call 7ff6d9fe8f80 1159->1162 1160->1159 1164 7ff6d9ffc05b-7ff6d9ffc062 call 7ff6d9fe3448 1161->1164 1165 7ff6d9ffc067-7ff6d9ffc06e 1161->1165 1164->1165 1169 7ff6d9ffc070-7ff6d9ffc077 1165->1169 1170 7ff6d9ffc079-7ff6d9ffc08b call 7ff6d9fe081c 1165->1170 1173 7ff6d9ffc0ab-7ff6d9ffc0e6 call 7ff6d9fe417c call 7ff6d9ffbf84 1169->1173 1170->1173 1177 7ff6d9ffc08d-7ff6d9ffc0a4 call 7ff6d9fe13e0 1170->1177 1173->1162 1183 7ff6d9ffc0ec-7ff6d9ffc107 1173->1183 1177->1173 1184 7ff6d9ffc673-7ff6d9ffc69a call 7ff6d9fe33f0 1183->1184 1185 7ff6d9ffc10d-7ff6d9ffc114 1183->1185 1190 7ff6d9ffc69d-7ff6d9ffc6a5 1184->1190 1185->1184 1186 7ff6d9ffc11a 1185->1186 1189 7ff6d9ffc11e-7ff6d9ffc121 1186->1189 1191 7ff6d9ffc6b1 1189->1191 1192 7ff6d9ffc127-7ff6d9ffc12b 1189->1192 1190->1190 1193 7ff6d9ffc6a7-7ff6d9ffc6ab 1190->1193 1194 7ff6d9ffc6b6 1191->1194 1195 7ff6d9ffc12d-7ff6d9ffc143 call 7ff6d9fe33f0 1192->1195 1196 7ff6d9ffc19a-7ff6d9ffc1a6 1192->1196 1193->1194 1198 7ff6d9ffc6b9-7ff6d9ffc6c1 1194->1198 1209 7ff6d9ffc146-7ff6d9ffc14d 1195->1209 1197 7ff6d9ffc1ad-7ff6d9ffc1c3 1196->1197 1200 7ff6d9ffc1c5-7ff6d9ffc1d8 towupper 1197->1200 1201 7ff6d9ffc1e2-7ff6d9ffc1e7 1197->1201 1198->1198 1202 7ff6d9ffc6c3-7ff6d9ffc6c9 call 7ff6d9fe34a0 1198->1202 1204 7ff6d9ffc1df 1200->1204 1205 7ff6d9ffc1da-7ff6d9ffc1dd 1200->1205 1206 7ff6d9ffc6ad 1201->1206 1207 7ff6d9ffc1ed-7ff6d9ffc205 1201->1207 1212 7ff6d9ffc6ce-7ff6d9ffc6d4 1202->1212 1204->1201 1205->1197 1206->1191 1210 7ff6d9ffc234-7ff6d9ffc23c 1207->1210 1211 7ff6d9ffc207-7ff6d9ffc223 call 7ff6d9fe33f0 1207->1211 1209->1209 1213 7ff6d9ffc14f-7ff6d9ffc167 call 7ff6d9fe8438 1209->1213 1217 7ff6d9ffc242-7ff6d9ffc245 1210->1217 1218 7ff6d9ffc63c-7ff6d9ffc649 call 7ff6d9fe3140 1210->1218 1228 7ff6d9ffc226-7ff6d9ffc22d 1211->1228 1212->1162 1215 7ff6d9ffc6d6 call 7ff6d9fe58e4 1212->1215 1230 7ff6d9ffc18a-7ff6d9ffc195 1213->1230 1231 7ff6d9ffc169-7ff6d9ffc17d call 7ff6d9ffcbd0 1213->1231 1215->1162 1223 7ff6d9ffc24b-7ff6d9ffc24e 1217->1223 1224 7ff6d9ffc628-7ff6d9ffc63a call 7ff6d9fd6ee4 1217->1224 1229 7ff6d9ffc64e-7ff6d9ffc65d 1218->1229 1225 7ff6d9ffc254-7ff6d9ffc257 1223->1225 1226 7ff6d9ffc5ec-7ff6d9ffc617 call 7ff6d9fe33f0 1223->1226 1224->1229 1232 7ff6d9ffc591-7ff6d9ffc5db call 7ff6d9fd586c call 7ff6d9fe885c call 7ff6d9fe33f0 LocalFree 1225->1232 1233 7ff6d9ffc25d-7ff6d9ffc260 1225->1233 1250 7ff6d9ffc61a-7ff6d9ffc621 1226->1250 1228->1228 1237 7ff6d9ffc22f 1228->1237 1238 7ff6d9ffc662 1229->1238 1235 7ff6d9ffc666-7ff6d9ffc66e 1230->1235 1231->1230 1252 7ff6d9ffc17f-7ff6d9ffc185 1231->1252 1299 7ff6d9ffc5de-7ff6d9ffc5e5 1232->1299 1240 7ff6d9ffc4bd-7ff6d9ffc4ce 1233->1240 1241 7ff6d9ffc266-7ff6d9ffc269 1233->1241 1235->1189 1244 7ff6d9ffc2b8-7ff6d9ffc2c9 1237->1244 1238->1235 1246 7ff6d9ffc4d0-7ff6d9ffc4dd 1240->1246 1247 7ff6d9ffc51d-7ff6d9ffc52a 1240->1247 1248 7ff6d9ffc26f-7ff6d9ffc272 1241->1248 1249 7ff6d9ffc43d-7ff6d9ffc456 1241->1249 1244->1235 1253 7ff6d9ffc574-7ff6d9ffc577 1246->1253 1254 7ff6d9ffc4e3-7ff6d9ffc4ec 1246->1254 1247->1253 1261 7ff6d9ffc52c-7ff6d9ffc535 1247->1261 1255 7ff6d9ffc3f9-7ff6d9ffc400 1248->1255 1256 7ff6d9ffc278-7ff6d9ffc27b 1248->1256 1258 7ff6d9ffc4a0-7ff6d9ffc4a3 1249->1258 1259 7ff6d9ffc458-7ff6d9ffc461 1249->1259 1250->1250 1257 7ff6d9ffc623 1250->1257 1252->1235 1263 7ff6d9ffc57c-7ff6d9ffc580 1253->1263 1264 7ff6d9ffc579 1253->1264 1265 7ff6d9ffc564-7ff6d9ffc572 1254->1265 1266 7ff6d9ffc4ee-7ff6d9ffc4f8 1254->1266 1255->1238 1262 7ff6d9ffc406 1255->1262 1267 7ff6d9ffc2ce-7ff6d9ffc2d5 1256->1267 1268 7ff6d9ffc27d-7ff6d9ffc2ac call 7ff6d9fe33f0 1256->1268 1257->1224 1273 7ff6d9ffc4a5 1258->1273 1274 7ff6d9ffc4a8-7ff6d9ffc4ac 1258->1274 1269 7ff6d9ffc463-7ff6d9ffc46d 1259->1269 1270 7ff6d9ffc490-7ff6d9ffc49e 1259->1270 1261->1265 1272 7ff6d9ffc537-7ff6d9ffc541 1261->1272 1277 7ff6d9ffc40c-7ff6d9ffc410 1262->1277 1278 7ff6d9ffc583-7ff6d9ffc58a 1263->1278 1264->1263 1265->1263 1275 7ff6d9ffc4fb-7ff6d9ffc502 1266->1275 1267->1238 1281 7ff6d9ffc2db-7ff6d9ffc32b GetDriveTypeW 1267->1281 1296 7ff6d9ffc2af-7ff6d9ffc2b6 1268->1296 1280 7ff6d9ffc470-7ff6d9ffc477 1269->1280 1270->1274 1276 7ff6d9ffc544-7ff6d9ffc54b 1272->1276 1273->1274 1283 7ff6d9ffc4af-7ff6d9ffc4b6 1274->1283 1275->1265 1286 7ff6d9ffc504-7ff6d9ffc50c 1275->1286 1276->1265 1291 7ff6d9ffc54d-7ff6d9ffc555 1276->1291 1277->1238 1284 7ff6d9ffc416-7ff6d9ffc41c 1277->1284 1278->1278 1285 7ff6d9ffc58c 1278->1285 1280->1270 1288 7ff6d9ffc479-7ff6d9ffc481 1280->1288 1281->1238 1289 7ff6d9ffc331-7ff6d9ffc345 call 7ff6d9fe97bc 1281->1289 1283->1283 1292 7ff6d9ffc4b8 1283->1292 1284->1238 1295 7ff6d9ffc422-7ff6d9ffc43b 1284->1295 1285->1232 1286->1265 1293 7ff6d9ffc50e-7ff6d9ffc519 1286->1293 1288->1270 1297 7ff6d9ffc483-7ff6d9ffc48e 1288->1297 1303 7ff6d9ffc36b 1289->1303 1304 7ff6d9ffc347-7ff6d9ffc369 call 7ff6da02c050 1289->1304 1291->1265 1294 7ff6d9ffc557-7ff6d9ffc562 1291->1294 1292->1240 1293->1275 1300 7ff6d9ffc51b 1293->1300 1294->1265 1294->1276 1295->1277 1296->1244 1296->1296 1297->1270 1297->1280 1299->1299 1302 7ff6d9ffc5e7 1299->1302 1300->1265 1302->1226 1306 7ff6d9ffc373-7ff6d9ffc39b 1303->1306 1304->1306 1309 7ff6d9ffc3ce-7ff6d9ffc3e8 call 7ff6d9fe33f0 1306->1309 1310 7ff6d9ffc39d-7ff6d9ffc3a5 1306->1310 1316 7ff6d9ffc3eb-7ff6d9ffc3f2 1309->1316 1310->1235 1311 7ff6d9ffc3ab-7ff6d9ffc3bd call 7ff6d9fe33f0 1310->1311 1317 7ff6d9ffc3c0-7ff6d9ffc3c7 1311->1317 1316->1316 1318 7ff6d9ffc3f4 1316->1318 1317->1317 1319 7ff6d9ffc3c9 1317->1319 1318->1255
    APIs
      • Part of subcall function 00007FF6D9FE58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6D9FFC6DB), ref: 00007FF6D9FE58EF
      • Part of subcall function 00007FF6D9FE081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FE084E
    • towupper.MSVCRT ref: 00007FF6D9FFC1C9
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FFC31C
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6D9FFC5CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
    • String ID: %s $%s>$PROMPT$Unknown$\$x
    • API String ID: 2242554020-3610052186
    • Opcode ID: 5e630d37b7b09928d23bc05a013b986a7d5ce2529fc585b79f6df014d867e99c
    • Instruction ID: 8e299dcccb5f86871a41d1b20a4c3f0e24c95ecfbbbf15f250103a1185d99b83
    • Opcode Fuzzy Hash: 5e630d37b7b09928d23bc05a013b986a7d5ce2529fc585b79f6df014d867e99c
    • Instruction Fuzzy Hash: 9512D421A0C66381EA24AF15A4441BE63A1FF44BA8F544337DAAEC37E1DF3CE529D704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1320 7ff6d9fe86f0-7ff6d9fe8739 call 7ff6d9fe88c0 1323 7ff6d9fe873f-7ff6d9fe8746 1320->1323 1324 7ff6d9ff517c-7ff6d9ff5193 RtlNtStatusToDosError SetLastError 1320->1324 1326 7ff6d9fe874c-7ff6d9fe874e 1323->1326 1327 7ff6d9ff51e8 1323->1327 1325 7ff6d9ff5198-7ff6d9ff519b 1324->1325 1328 7ff6d9ff5265 1325->1328 1329 7ff6d9ff51a1-7ff6d9ff51b0 call 7ff6d9fe09f4 1325->1329 1326->1325 1330 7ff6d9fe8754-7ff6d9fe8760 call 7ff6d9fe885c 1326->1330 1331 7ff6d9ff51f0-7ff6d9ff520b GetConsoleTitleW 1327->1331 1340 7ff6d9fe87ea-7ff6d9fe87f0 1329->1340 1341 7ff6d9ff51b6 1329->1341 1337 7ff6d9fe8765-7ff6d9fe876b 1330->1337 1334 7ff6d9fe87f2-7ff6d9fe87f5 1331->1334 1335 7ff6d9ff5211-7ff6d9ff5228 wcsstr 1331->1335 1344 7ff6d9fe87ff-7ff6d9fe8802 1334->1344 1345 7ff6d9fe87f7-7ff6d9fe87fa call 7ff6d9fdff70 1334->1345 1338 7ff6d9ff522a 1335->1338 1339 7ff6d9ff5247-7ff6d9ff525a call 7ff6d9fe1300 1335->1339 1342 7ff6d9fe8771 1337->1342 1343 7ff6d9ff51d8-7ff6d9ff51dd call 7ff6d9fd3278 1337->1343 1346 7ff6d9ff522d-7ff6d9ff5245 wcsstr 1338->1346 1339->1334 1360 7ff6d9ff5260 1339->1360 1340->1334 1340->1344 1348 7ff6d9ff51ba-7ff6d9ff51c2 1341->1348 1349 7ff6d9fe8775-7ff6d9fe877d 1342->1349 1357 7ff6d9ff51e2-7ff6d9ff51e3 1343->1357 1352 7ff6d9fe8804-7ff6d9fe880e LocalFree 1344->1352 1353 7ff6d9fe8813-7ff6d9fe8815 1344->1353 1345->1344 1346->1339 1346->1346 1348->1348 1355 7ff6d9ff51c4-7ff6d9ff51cd 1348->1355 1349->1349 1356 7ff6d9fe877f-7ff6d9fe8788 1349->1356 1352->1353 1353->1343 1358 7ff6d9fe881b-7ff6d9fe884d call 7ff6d9fe8f80 1353->1358 1361 7ff6d9ff51d3 1355->1361 1362 7ff6d9fe87cf-7ff6d9fe87d2 1355->1362 1356->1344 1363 7ff6d9fe878a-7ff6d9fe879a call 7ff6d9fdcd90 1356->1363 1360->1362 1361->1343 1362->1340 1365 7ff6d9fe87d4-7ff6d9fe87e3 SetConsoleTitleW 1362->1365 1363->1344 1368 7ff6d9fe879c-7ff6d9fe87ad call 7ff6d9fe13e0 1363->1368 1365->1340 1368->1331 1371 7ff6d9fe87b3-7ff6d9fe87ba 1368->1371 1372 7ff6d9fe87c0-7ff6d9fe87cd call 7ff6d9fe1300 1371->1372 1373 7ff6d9fe884f-7ff6d9fe8852 1371->1373 1372->1334 1372->1362 1373->1334
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
    • String ID:
    • API String ID: 1313749407-0
    • Opcode ID: 4d31b305405a3d765fe0144db543a2852d122a425ff484c85fdfa966466d6282
    • Instruction ID: 8da4ddf9ee0b3a65f1ad65e1663ac39e6ea6d88b8920273d98a8fd9637df2312
    • Opcode Fuzzy Hash: 4d31b305405a3d765fe0144db543a2852d122a425ff484c85fdfa966466d6282
    • Instruction Fuzzy Hash: 2051D722B0D68246FA20AF12981427D6695FF49B94F485636DE3EC77D1EF3CE860C204
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
    • String ID:
    • API String ID: 4291973834-0
    • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
    • Instruction ID: 1fb3696df4c3ee3ad88fc4cb308e0ee50d100d835e97058436e6c997158c6a5a
    • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
    • Instruction Fuzzy Hash: DF411A32E0C64386F761AF52E95027D32A4BF54348F040977E91DC76A2DF7CE8A48794
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE34A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE3578: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3584
      • Part of subcall function 00007FF6D9FE3578: GetFileType.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE359C
      • Part of subcall function 00007FF6D9FE3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35C3
      • Part of subcall function 00007FF6D9FE3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35D9
      • Part of subcall function 00007FF6D9FE3578: GetConsoleMode.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35ED
      • Part of subcall function 00007FF6D9FE3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE3602
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE3514
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FE3522
    • WriteConsoleW.KERNELBASE(?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE3541
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE355E
      • Part of subcall function 00007FF6D9FE36EC: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3715
      • Part of subcall function 00007FF6D9FE36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6D9FE3770
      • Part of subcall function 00007FF6D9FE36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE3791
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
    • String ID:
    • API String ID: 4057327938-0
    • Opcode ID: 807fa989d39d4849e06e2f4786b28539bca90d0803ce6995c92bbc2c66011cd3
    • Instruction ID: 32fb8b99b6ece9975b42bc823bc9d31730bdebfedde97c2aac8454253733b056
    • Opcode Fuzzy Hash: 807fa989d39d4849e06e2f4786b28539bca90d0803ce6995c92bbc2c66011cd3
    • Instruction Fuzzy Hash: BE317E21F0CA4387E7659F26A80407DBAA4FF89745F58417BDE4EC3396DE7CE9288600
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE01B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FE01C4
    • GetFileType.KERNELBASE(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE01D6
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE0212
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE0228
    • GetConsoleMode.KERNELBASE(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE023C
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE0251
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
    • String ID:
    • API String ID: 513048808-0
    • Opcode ID: ef555d96517b4a4d7bc0a02b43aa9942dfc75bbee8affbf3c621068c46bc1ac3
    • Instruction ID: d01caa38b00747e519f76fa7e32006b6609970af0056a09e1be6731ddd9e4a32
    • Opcode Fuzzy Hash: ef555d96517b4a4d7bc0a02b43aa9942dfc75bbee8affbf3c621068c46bc1ac3
    • Instruction Fuzzy Hash: CC216A2190C78387E7604F64A58827C7AA0FF4A759F584277DA1EC76A2CF7CE4688700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE3578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FE3584
    • GetFileType.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE359C
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35C3
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35D9
    • GetConsoleMode.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35ED
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE3602
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
    • String ID:
    • API String ID: 513048808-0
    • Opcode ID: 4be1f5ec09c5108d2c7826c3a7209228348aa1fd039264005e97f60c6ac8ced8
    • Instruction ID: 5ebb11e051d1fccef833b918bdab59c7ca862e4fec833b319c6c92c4f6046c20
    • Opcode Fuzzy Hash: 4be1f5ec09c5108d2c7826c3a7209228348aa1fd039264005e97f60c6ac8ced8
    • Instruction Fuzzy Hash: 0A115E21A0CB4386EA244F35A54847CAAA4FB4A769F555377DA2EC33D1CE7CD4688701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD58D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
    • API String ID: 3677997916-3870813718
    • Opcode ID: 11f10b6277c18dac5d1f9458213eb359f51f159b19c3fb95c1c998554f45dc91
    • Instruction ID: 53821106f9533bbbd87ba8799d81a59f4c7b4e402ccbdfb3741a19df5c8d8cc8
    • Opcode Fuzzy Hash: 11f10b6277c18dac5d1f9458213eb359f51f159b19c3fb95c1c998554f45dc91
    • Instruction Fuzzy Hash: 52114C3261CB42C7EB208F50E44026EB7A4FB897A5F404232DA8D43768DF7DC058CB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A28
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A66
    • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A7D
    • memmove.MSVCRT(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A9A
    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4AA2
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
    • String ID:
    • API String ID: 647542462-0
    • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
    • Instruction ID: e58a27c873bc21873bff2cf724434d18195f7c86ea177184621638ba73ef82c0
    • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
    • Instruction Fuzzy Hash: F511A026A18B4282DE209F02B44403DBBA0FB89FA4B59907ADE4E83755DF3DE4518744
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
    Download Yara Rule
    APIs
    • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF6D9FFB934
    • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6D9FE5085), ref: 00007FF6D9FFB9A5
    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6D9FE5085), ref: 00007FF6D9FFB9F7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
    • String ID: %WINDOWS_COPYRIGHT%
    • API String ID: 1103618819-1745581171
    • Opcode ID: 315f33a102ad39634f979ce1a7930e6d82fe0816c96778e1b84bf6ee5a19bbf5
    • Instruction ID: 55043ebf77af286c04c938a464a43990f765f3a29de55fcab62b96f4dca8a66a
    • Opcode Fuzzy Hash: 315f33a102ad39634f979ce1a7930e6d82fe0816c96778e1b84bf6ee5a19bbf5
    • Instruction Fuzzy Hash: BB41A062A08B8286EB208F15D45027D77A1FB49BD9F859276DF8D83395EF3CE4A5C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FE4AD6
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FE4AEF
      • Part of subcall function 00007FF6D9FE4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A28
      • Part of subcall function 00007FF6D9FE4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A66
      • Part of subcall function 00007FF6D9FE4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A7D
      • Part of subcall function 00007FF6D9FE4A14: memmove.MSVCRT(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4A9A
      • Part of subcall function 00007FF6D9FE4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6D9FE49F1), ref: 00007FF6D9FE4AA2
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FEEE64
    • RtlFreeHeap.NTDLL(?,?,?,00007FF6D9FD8798), ref: 00007FF6D9FEEE78
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememmove
    • String ID:
    • API String ID: 3874763886-0
    • Opcode ID: 7a3e83c85971b04ca882a9ee2456586daf5b43258bcc07a67dde7322b822874c
    • Instruction ID: f3f3c82ac1af80d4295fcd5e0654e30f3440a8da682e3415615545b3430954a3
    • Opcode Fuzzy Hash: 7a3e83c85971b04ca882a9ee2456586daf5b43258bcc07a67dde7322b822874c
    • Instruction Fuzzy Hash: 29F06D60E09B4386EF259F66A44417CADD1FF8EB45B498079CD0EC3351EE3CA5248711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID: onecore\base\cmd\maxpathawarestring.cpp
    • API String ID: 2221118986-3416068913
    • Opcode ID: 9d986779ded9d6f5d75f9ad373981b98952a2f194155cc8bde4d49c126c00a83
    • Instruction ID: 6349543dfe4247d4a7f4adc644b79a6e3ee58c7243a86d5f77120adc511f7a21
    • Opcode Fuzzy Hash: 9d986779ded9d6f5d75f9ad373981b98952a2f194155cc8bde4d49c126c00a83
    • Instruction Fuzzy Hash: 3D11A521A0874685FB54DF66E5542BD22929F85BE8F184333EE6DCB7D6DE2CD4A08304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDE600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: GeToken: (%x) '%s'
    • API String ID: 0-1994581435
    • Opcode ID: f9391344a69862f8414903480630b12e8e70c9aa2b3bdcd8f42a8ad775e2db21
    • Instruction ID: 52e6560010d2d1bb25e72215f1497fe3ef8f719adbb8770d41932056e880574b
    • Opcode Fuzzy Hash: f9391344a69862f8414903480630b12e8e70c9aa2b3bdcd8f42a8ad775e2db21
    • Instruction Fuzzy Hash: 56012920E1D5078AF7149F28D8942BC26A1AF9532CF5446B7D42ECB7E2DE6C74A58701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_taskmalloc
    • String ID:
    • API String ID: 1412018758-0
    • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
    • Instruction ID: 791a6f97fd201e24864a6289f7daa7a01a5998d6b67cc647770f3d6a861bc0a6
    • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
    • Instruction Fuzzy Hash: 35E0E541F5A60B95FE2A2F6278461BC13545F69B51E582432DE1DCB392EE2DE0F58320
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDCD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDA6
    • RtlAllocateHeap.NTDLL(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDBD
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 9a820599708a522690afe6bbce0270cb8cb077445389604e7191a5141531bc8d
    • Instruction ID: 444d96b406c41621470f8115809145640fbf0779beb7a6776df46cc2a4c03e88
    • Opcode Fuzzy Hash: 9a820599708a522690afe6bbce0270cb8cb077445389604e7191a5141531bc8d
    • Instruction Fuzzy Hash: 95F0A972A1C74282EB148F06F8800BCBBA5FB89B44B589136DA0EC7355DF3CE4A1C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFF318 Relevance: 3.0, APIs: 2, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FFF31C
    • GetFileType.KERNELBASE(?,?,?,?,00007FF6D9FEE91F,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FFF32B
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FileType_get_osfhandle
    • String ID:
    • API String ID: 2312334805-0
    • Opcode ID: 223848f62e28b87063ec73ebbe696b5da64dbff73e64d749b635a9d8a6dc9d85
    • Instruction ID: 1d4159d93cfca7d5a403b8c7a431b198893c8bec7f5f13827e44582af58846b9
    • Opcode Fuzzy Hash: 223848f62e28b87063ec73ebbe696b5da64dbff73e64d749b635a9d8a6dc9d85
    • Instruction Fuzzy Hash: ECD05E35E0A602C7CB08AF61685407C6AA0FB8D705B8180B9D60BC7311DE3C50548700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE885C Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID:
    • API String ID: 1306739567-0
    • Opcode ID: 7d14eb8d6440d8a6ff149373b33d2c264773d91702229be83f18df8b013b3c5b
    • Instruction ID: a38e81bcd80c131654e2c129e3ac67e300d4d67dc688854b5f14916b9e44fe19
    • Opcode Fuzzy Hash: 7d14eb8d6440d8a6ff149373b33d2c264773d91702229be83f18df8b013b3c5b
    • Instruction Fuzzy Hash: F3F0AF72B18B4096D7108B10E488BAD3BA9F359794FA24179D7AC46710DF3ACA64CB84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
    • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF6D9FD6F97), ref: 00007FF6D9FE550C
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: DefaultLangUser
    • String ID:
    • API String ID: 768647712-0
    • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
    • Instruction ID: 983289947f8d56865ca97bd96f977321a83aeab61dee4a906fe0df4d2d026905
    • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
    • Instruction Fuzzy Hash: 7DE0C2A2D183538AF9982E8260413BC2953CB68786FC44033C60EC32C5CD2D28615209
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: 5e7fccc8773aef34ba68b35cce16b71deba0983de483b5e6488b3a2eb2d94e71
    • Instruction ID: c5ec890d588a0071bd51e6d626591ba7f08758a271a3159d162236b1efab53c2
    • Opcode Fuzzy Hash: 5e7fccc8773aef34ba68b35cce16b71deba0983de483b5e6488b3a2eb2d94e71
    • Instruction Fuzzy Hash: C7F05E21B0979640EA548B57B94016D62959B88BE0B488336EA7DC7BD9EE3CD4628700
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00007FF6D9FD5B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
    • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
    • API String ID: 1388555566-2647954630
    • Opcode ID: 0c7347f3e22ddfba5c98678606a1d58325ad8667ce46c200bbbc2c40ae858416
    • Instruction ID: 61dbf5e2dbcfc6bac8dcc9fc8dccb287aeefabe52b6fe0ab1043a2aad5c30b73
    • Opcode Fuzzy Hash: 0c7347f3e22ddfba5c98678606a1d58325ad8667ce46c200bbbc2c40ae858416
    • Instruction Fuzzy Hash: 3DA28231A0C78286EB249F26A8542BD7BA1FF89B88F448176DA4EC7795DF7CE454C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDE680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
    • String ID: &<|>$+: $:$:EOF$=,;$^
    • API String ID: 511550188-726566285
    • Opcode ID: ecc936a8b2123d416c6907596ec693eb851faf97a5d6d1e260225ff274185885
    • Instruction ID: 2a92a497c0632ec23c71932f4406ce60d7afd797d469a6b0ec2cf6e66e0b047c
    • Opcode Fuzzy Hash: ecc936a8b2123d416c6907596ec693eb851faf97a5d6d1e260225ff274185885
    • Instruction Fuzzy Hash: 2152A032E0C69386EB259F25A4042BD7AA1FB85B48F448177EA4EC3795DF3CE965C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD9E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 811COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp$wcschr$wcstol
    • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
    • API String ID: 1738779099-3004636944
    • Opcode ID: 9efc5e680396b75076e63303b627040fc2277f7c0f3a1c65f5e9be39770acc7c
    • Instruction ID: 3b8a18c0266190ffc97b4d31c88df6d85823d2d22a144ab902bf89ad4eec4c6c
    • Opcode Fuzzy Hash: 9efc5e680396b75076e63303b627040fc2277f7c0f3a1c65f5e9be39770acc7c
    • Instruction Fuzzy Hash: 95726932F086528AEB209F65D4446BD37A1FB85B88F458136DE0ED7794EE3CE865C348
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD3F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
    • String ID: %s$%s
    • API String ID: 3623545644-3518022669
    • Opcode ID: 2c59002f44014bed6d62d7d9bfab8569cdd3669a3fab2aacb014ef1240c6e24b
    • Instruction ID: f2f447223e1bd851d0d1a6cfea7cc25176445f433791e113944eb390ccb09961
    • Opcode Fuzzy Hash: 2c59002f44014bed6d62d7d9bfab8569cdd3669a3fab2aacb014ef1240c6e24b
    • Instruction Fuzzy Hash: 17D28E32A086838AEB649F25D8902BD77A1FB85758F14413ADA4EC7BD5DF3CE564CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD2C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
    • String ID: %9d$%s
    • API String ID: 4286035211-3662383364
    • Opcode ID: a3bee1deb293f716227e62ac9c5a3310629ad2ba5b6ef547e6115011021ce3f8
    • Instruction ID: f5ba059b58f868d659320a3ceda0cb5548acbbfa6d4486d898c73dd159b30757
    • Opcode Fuzzy Hash: a3bee1deb293f716227e62ac9c5a3310629ad2ba5b6ef547e6115011021ce3f8
    • Instruction Fuzzy Hash: 6B52A132B08B828AEB259F25D8502FD77A4FB89799F444136DA0E87B95DF3CE558C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
    • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
    • API String ID: 3305344409-4288247545
    • Opcode ID: 534ec16e987550a66f3e1d5b34a1157b4fd9a17b2c719d80120aaa9796f83e6c
    • Instruction ID: ee8bd92dcc807ec5d4846e452b23c4b4c086668c7962e05136de74e3bbf52922
    • Opcode Fuzzy Hash: 534ec16e987550a66f3e1d5b34a1157b4fd9a17b2c719d80120aaa9796f83e6c
    • Instruction Fuzzy Hash: E342B021B0D78385EB609F2298502BE67A1FF85B98F484236D91ECB7D6DF3CE5658300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
    • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
    • API String ID: 388421343-2905461000
    • Opcode ID: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
    • Instruction ID: b9520049ef4fc2115942c1bcb7f5eaf1a4d1d13a4cb6ca2b713a57e33e33a7c3
    • Opcode Fuzzy Hash: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
    • Instruction Fuzzy Hash: 67F12932A1CB8286EA609F11E4847BEB7A5FB89784F50417BDA4DC7695DF3CE464CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE18D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcsrchr$towlower
    • String ID: fdpnxsatz
    • API String ID: 3267374428-1106894203
    • Opcode ID: a2e01bddbcf446966ff69a9cc6a8659e7d71e7754141e89b10d21dc1499ca482
    • Instruction ID: 07b66bb7b9457de2190ed10e031a0cd747dceeb898c212861a628673d79e6dd3
    • Opcode Fuzzy Hash: a2e01bddbcf446966ff69a9cc6a8659e7d71e7754141e89b10d21dc1499ca482
    • Instruction Fuzzy Hash: 1C42B122B09B8286EB648F2699542BD67A1FF45B94F548137DE4EC7BD4DF3CE8618300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
    • String ID: DPATH
    • API String ID: 95024817-2010427443
    • Opcode ID: d8f382e6e12ddc57194bca8be96919110f8aaf6239d95eeedcf695d463a234ea
    • Instruction ID: 825715267702fe5c8bc7e063d037dab459f791236a7a886420e6086b33dcee12
    • Opcode Fuzzy Hash: d8f382e6e12ddc57194bca8be96919110f8aaf6239d95eeedcf695d463a234ea
    • Instruction Fuzzy Hash: A012C632A0C68386E7649F11A4441BDB7A1FB89B58F44523BEA5ED7795DF3CE414CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD5240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: [...]$ [..]$ [.]$...$:
    • API String ID: 0-1980097535
    • Opcode ID: 251dffbd20cb83d3debd935fcd4546828530d34106f281e7cd8b68f040cf8ba4
    • Instruction ID: ffe6bf796090c2cdf1ccc60c5162f6ad2dd0adc1f203fd42af26d7dd42a12aaa
    • Opcode Fuzzy Hash: 251dffbd20cb83d3debd935fcd4546828530d34106f281e7cd8b68f040cf8ba4
    • Instruction Fuzzy Hash: 33329B72A0878386EB60DF61E8402FD73A5EB85788F418136DA4D8779ADF7CE569C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
    • String ID: $P$G$%02d%s%02d%s%02d$%s $%s %s
    • API String ID: 4111365348-3792846528
    • Opcode ID: 4bbca4a7fa58dce35846e693fe757bf5253ce874f3a130b4f9e0a181b9804d7b
    • Instruction ID: ebacbc757251793b3ed742bced77c487af042dd985c7423bb049c7fd8189ed25
    • Opcode Fuzzy Hash: 4bbca4a7fa58dce35846e693fe757bf5253ce874f3a130b4f9e0a181b9804d7b
    • Instruction Fuzzy Hash: B1E17D62A0C64386EB209F65A8442FD67A1FF8978CF544133DA4ED7696EF3CE529C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • _wcsupr.MSVCRT ref: 00007FF6D9FFEF33
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFEF98
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFEFA9
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFEFBF
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6D9FFEFDC
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFEFED
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF003
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF022
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF083
    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF092
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF0A5
    • towupper.MSVCRT ref: 00007FF6D9FFF0DB
    • wcschr.MSVCRT ref: 00007FF6D9FFF135
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF16C
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FFF185
      • Part of subcall function 00007FF6D9FE01B8: _get_osfhandle.MSVCRT ref: 00007FF6D9FE01C4
      • Part of subcall function 00007FF6D9FE01B8: GetFileType.KERNELBASE(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE01D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
    • String ID: <noalias>$CMD.EXE
    • API String ID: 1161012917-1690691951
    • Opcode ID: 515b4b3c9e1c53e86647d6030510c72eb22c7b0d4b1ae78da30837f4729b0ade
    • Instruction ID: 6d3923d82d8aa11bc78508f61b7f44d1a084c9ae346ead4797b690bdba75bad9
    • Opcode Fuzzy Hash: 515b4b3c9e1c53e86647d6030510c72eb22c7b0d4b1ae78da30837f4729b0ade
    • Instruction Fuzzy Hash: 0C919D22F086438AFB159F61E8101BD2AA0AF49B59F488177DE0EC77D6DF3CA469C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD1560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
    • String ID: \\?\
    • API String ID: 628682198-4282027825
    • Opcode ID: 58be10dc0a729e0ede8e45c897456c5a564b599b2587ade0bf5c951e8e4c4558
    • Instruction ID: 5b2280df3402d88d4da0e0ae16a8e44a65ee5f1870e820e5645fb944473e5639
    • Opcode Fuzzy Hash: 58be10dc0a729e0ede8e45c897456c5a564b599b2587ade0bf5c951e8e4c4558
    • Instruction Fuzzy Hash: AAE1AE62B0868296EB659F25D8403FD63A0FB85749F405136EA1EC77E5EF3CE665C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
    • String ID:
    • API String ID: 16309207-0
    • Opcode ID: 39281ab943732698daec275114152188bca7bc57d7047d9a14549d778b5747ea
    • Instruction ID: f77267ef10b3cd1f0f9f3c796a799dbe192205fdf7aa79dceb89c8daedc7b7aa
    • Opcode Fuzzy Hash: 39281ab943732698daec275114152188bca7bc57d7047d9a14549d778b5747ea
    • Instruction Fuzzy Hash: 4E22A162B08B8286EB259F25D8542FD63A0FF85B89F404136DA1E8BB95DF3CE165C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFD9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
    Download Yara Rule
    APIs
    • longjmp.MSVCRT(?,?,00000000,00007FF6D9FF048E), ref: 00007FF6D9FFDA58
    • memset.MSVCRT ref: 00007FF6D9FFDAD6
    • memset.MSVCRT ref: 00007FF6D9FFDAFC
    • memset.MSVCRT ref: 00007FF6D9FFDB22
      • Part of subcall function 00007FF6D9FE3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6D9FFEAC5,?,?,?,00007FF6D9FFE925,?,?,?,?,00007FF6D9FDB9B1), ref: 00007FF6D9FE3A56
      • Part of subcall function 00007FF6D9FD5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6D9FD51C4
      • Part of subcall function 00007FF6D9FE823C: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE8280
      • Part of subcall function 00007FF6D9FE823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE829D
      • Part of subcall function 00007FF6D9FE01B8: _get_osfhandle.MSVCRT ref: 00007FF6D9FE01C4
      • Part of subcall function 00007FF6D9FE01B8: GetFileType.KERNELBASE(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE01D6
      • Part of subcall function 00007FF6D9FD4FE8: _get_osfhandle.MSVCRT ref: 00007FF6D9FD5012
      • Part of subcall function 00007FF6D9FD4FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FD5030
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FFDDB0
      • Part of subcall function 00007FF6D9FD59E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FD5A2E
      • Part of subcall function 00007FF6D9FD59E4: _open_osfhandle.MSVCRT ref: 00007FF6D9FD5A4F
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FFDDEB
    • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FFDDFA
    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6D9FFE204
    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6D9FFE223
    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6D9FFE242
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
    • String ID: %9d$%s$~
    • API String ID: 3651208239-912394897
    • Opcode ID: 29544b42f9cbdb1dfb34a09445a5538564ede9ca9281ec5b6e2057e935bcb2de
    • Instruction ID: 9d53aece858a8e2f152e2d2aac34660a2387ac7954c24fd39021531be3a9a26d
    • Opcode Fuzzy Hash: 29544b42f9cbdb1dfb34a09445a5538564ede9ca9281ec5b6e2057e935bcb2de
    • Instruction Fuzzy Hash: 4C425D32A087828AEB649F25D8502FD77A1FB85748F500137EA4DC7A99DF3DE565CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDCE10 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 337COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
    • String ID: GOTO
    • API String ID: 3863671652-1693823284
    • Opcode ID: dee6fc3255eb917917b1ec0481f3bd1534c34cd92e8af6b215a3ce948fe175a9
    • Instruction ID: 6c6d36f25d34b895e813d6a3bfac0873dd04974cb8577a264e2eb4a8cca568cf
    • Opcode Fuzzy Hash: dee6fc3255eb917917b1ec0481f3bd1534c34cd92e8af6b215a3ce948fe175a9
    • Instruction Fuzzy Hash: 96E1AB21A0D64386FA64AF15A4543BD26A2FF89B48F554237DA1EC77D2DF3CE865C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
    • String ID: COPYCMD$\
    • API String ID: 3989487059-1802776761
    • Opcode ID: 3bbf8f215ee2954a5d4fb17bf70d9d8e166cfa696a158a9e0d223ca151e74ab2
    • Instruction ID: 8b52a0ccc6d16b8a37c11a7ab0e89074ea7186a0a6742a4b81e6ac5be053dc3f
    • Opcode Fuzzy Hash: 3bbf8f215ee2954a5d4fb17bf70d9d8e166cfa696a158a9e0d223ca151e74ab2
    • Instruction Fuzzy Hash: C6F1C366B0878686EB649F16D4402BE63A1FF85B8CF048136DA4EC77A5EF7CE565C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE3140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Time$File$System$FormatInfoLocalLocale
    • String ID: $$P$G$%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
    • API String ID: 55602301-2040992447
    • Opcode ID: 457f9467175a3318a12c9a214969f411ccc9455fcec49b62d1d196d219907895
    • Instruction ID: 47df092c27fce53cda13b81d827f421cf2b2dece89434b8ea280f768644f1318
    • Opcode Fuzzy Hash: 457f9467175a3318a12c9a214969f411ccc9455fcec49b62d1d196d219907895
    • Instruction Fuzzy Hash: AAA1AB32A1C64296EB208F11E4442BE77A5FB84798F500137EE5EC76A5EF7CE564C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA001538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
    • String ID:
    • API String ID: 3935429995-0
    • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
    • Instruction ID: 238f2db9b075562cd5f5bd4e9adb8fdb6d3843993d465aff564189df4ffbabd4
    • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
    • Instruction Fuzzy Hash: AF61CE26A1CB9386E7109F22A44467EBBA4FF89F58F058176DE4E83796DF3CD4118704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD35B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: bf4ab2995026e5a4594a7787ae0969c26e7308b7f8ed3652c67194726e000269
    • Instruction ID: 1cc17bb7c46ceeb5a8d9421dbc1ca6d61a998beeda81222a51e1d5324daf0b9f
    • Opcode Fuzzy Hash: bf4ab2995026e5a4594a7787ae0969c26e7308b7f8ed3652c67194726e000269
    • Instruction Fuzzy Hash: 04919E32B0969286EB689F25D8502FD76A0FB89B4DF048136DA4E87794EF3CD559C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDB0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _get_osfhandlememset$wcschr
    • String ID: DPATH
    • API String ID: 3260997497-2010427443
    • Opcode ID: 30e79d6667bfef039a896905d814ad25378bb9efaa9bcaf331d36dbb6943df02
    • Instruction ID: d727f5628f68ddbf2ecaae8dc6578251eab355fec7691eabfd0bf073dcff234f
    • Opcode Fuzzy Hash: 30e79d6667bfef039a896905d814ad25378bb9efaa9bcaf331d36dbb6943df02
    • Instruction Fuzzy Hash: DCD1A032A0864286EB25AF65D8401BD63A2FF85BA9F444237DA1EC77D5DF3CE865C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
    • String ID: @P
    • API String ID: 1801357106-3670739982
    • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
    • Instruction ID: 23cbbb833a618d2ef106117e57870b60db946ff465a3d04516e2b80f1f1b7c69
    • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
    • Instruction Fuzzy Hash: 46417C32B08A42DBE7209F61D4503ED7BA4FB8974CF848232DA1D93A88DF78D558C744
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$BufferConsoleInfoScreen
    • String ID:
    • API String ID: 1034426908-0
    • Opcode ID: 2d5ade14f79c77d004b43372fe25f46a3d97144d660a0eedcb7f27a731b6732b
    • Instruction ID: af7684d92fa57c8c5bee614b42eab99f4c005eec601db62b00655e8e2513e334
    • Opcode Fuzzy Hash: 2d5ade14f79c77d004b43372fe25f46a3d97144d660a0eedcb7f27a731b6732b
    • Instruction Fuzzy Hash: FFF18C32A087828AEB64DF22D8506ED77A4FF85788F448136DA4E8B795DF3CE564C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorFileFindFirstLast
    • String ID:
    • API String ID: 873889042-0
    • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
    • Instruction ID: a8cd783741c2d5668ff0179758f1380e7d0983fd24edbe9c7158b619065a6f08
    • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
    • Instruction Fuzzy Hash: E4513E36A0DB42CAE7119F12E4841BD7BA4FB4AB95F548572CA1DC3391DF3CE4648704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseValue$CreateDeleteOpen
    • String ID: %s=%s$\Shell\Open\Command
    • API String ID: 4081037667-3301834661
    • Opcode ID: cca4a14b3588188b9bfe3025cf43e35c39970c82599c4534055a3dd81e0db7f2
    • Instruction ID: 3321148be1438badfd27e5f63bb87c90f69ed5f450276a516ebce97baf617c28
    • Opcode Fuzzy Hash: cca4a14b3588188b9bfe3025cf43e35c39970c82599c4534055a3dd81e0db7f2
    • Instruction Fuzzy Hash: 7871D672B0974282EB218F66A4502BDA2A5FFC5798F444132DE4E87B94EF7CE569C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
    Download Yara Rule
    APIs
    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FFAA85
    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FFAACF
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FFAAEC
    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6D9FF98C0), ref: 00007FF6D9FFAB39
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6D9FF98C0), ref: 00007FF6D9FFAB6F
    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6D9FF98C0), ref: 00007FF6D9FFABA4
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6D9FF98C0), ref: 00007FF6D9FFABCB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseDeleteValue$CreateOpen
    • String ID: %s=%s
    • API String ID: 1019019434-1087296587
    • Opcode ID: c4aa14512d763a8ddc045357bcc46d2d458d72264caee2155a35efe21365b1f8
    • Instruction ID: 9562dc94b677e974d08713e308719016bc9564a0ae7e2942eb66624e75eda97f
    • Opcode Fuzzy Hash: c4aa14512d763a8ddc045357bcc46d2d458d72264caee2155a35efe21365b1f8
    • Instruction Fuzzy Hash: 8D51A232B08B8286E7608F25A4447AE7AA5FBCA794F408236CB5DC3795EF3CD465C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmpwcsrchr
    • String ID: COPYCMD
    • API String ID: 2429825313-3727491224
    • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
    • Instruction ID: a2da0af0afda14c5b7756f7752b9acd64b25f117cbf47543d220f76a197b24d7
    • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
    • Instruction Fuzzy Hash: AFF19C32F086528AFB649F61D0402BD36A5EB84B9CF144237DE5EA77D4EE3CA469C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$FullNamePathwcsrchr
    • String ID:
    • API String ID: 4289998964-0
    • Opcode ID: a80d012484cbdcca0ca620b8a14734abd8c46742d7c15bd51813b886838a5470
    • Instruction ID: bca4fd48ae26cd90cc44582056a4695a6591cb5b01c6a85b480ab42077b7c3f3
    • Opcode Fuzzy Hash: a80d012484cbdcca0ca620b8a14734abd8c46742d7c15bd51813b886838a5470
    • Instruction Fuzzy Hash: ACC1A022B0D75A82EAA49F5695483BD67A0FF95B98F005532CE1E877D0EF3CA4B5C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFBCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
    • String ID:
    • API String ID: 3476366620-0
    • Opcode ID: e80667afc0d4efceb6aef25f833a3d837a8fcd408026498b2919174857c48976
    • Instruction ID: 122b9ab0cfba4a31ff40e52bba766105a6feb735d79959c54349ec7577bec531
    • Opcode Fuzzy Hash: e80667afc0d4efceb6aef25f833a3d837a8fcd408026498b2919174857c48976
    • Instruction Fuzzy Hash: EA21122090CA4396FA246F21E4152BC6755FF4AB5EF8452B7CA5EC32E2DF3CA468C705
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD3D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
    • String ID: %9d
    • API String ID: 1006866328-2241623522
    • Opcode ID: 49dbeeece98ca2af395b5421f0eabdee3e715f5a42a247bfbbf55fa9d0e8537f
    • Instruction ID: fc4f7c44447772a0e19306f8b4b7d70b1b7c727c2bfc15e2a306d4f0e0b6d1a3
    • Opcode Fuzzy Hash: 49dbeeece98ca2af395b5421f0eabdee3e715f5a42a247bfbbf55fa9d0e8537f
    • Instruction Fuzzy Hash: C0511972A086438AE7109F21E8805BD3BA4FB4476CF804676DA6DD77A6CF7CE564CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: 7160d99242a1669725aef99eaef69d89578f29fe8c66c0003e2744a279b5bca3
    • Instruction ID: 3ec529576260d6779b1a5a96d26e6141067aaa1c32ad2c20d7b718e105e1d168
    • Opcode Fuzzy Hash: 7160d99242a1669725aef99eaef69d89578f29fe8c66c0003e2744a279b5bca3
    • Instruction Fuzzy Hash: A9C1E022A0978286EB61DF21E890AFD33A4FFD5798F044536DA1D877A5DF3CE5A18300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 2e7a924b57887036cda351d50a900b3fc87ff6663746bd4f5c61131fe866968e
    • Instruction ID: ea0251f8964e286d178e76dd88724dedf93f3fcf5d1b2c9adc03729cce80e354
    • Opcode Fuzzy Hash: 2e7a924b57887036cda351d50a900b3fc87ff6663746bd4f5c61131fe866968e
    • Instruction Fuzzy Hash: E5A1BF22A1D65382EB609F66A4916BE76A1FF88B84F404137DE4EC7B91DF3CE461C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$DiskFreeSpace
    • String ID: %5lu
    • API String ID: 2448137811-2100233843
    • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
    • Instruction ID: edc9f8eecfb3b5d531d2fca324abab8e5e73f1b7cf1a254bdab01bb3a7c3a977
    • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
    • Instruction Fuzzy Hash: B9416F66708AC286EB61DF61E8446EE7361FB84788F448036EA4D8BB59DF7CD259C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp
    • String ID: GeToken: (%x) '%s'
    • API String ID: 2081463915-1994581435
    • Opcode ID: 6e4c5c6b6d185140ca64f330d229c4bae651b3bc3ca60c47b554df0f6da724cf
    • Instruction ID: 0b62b998714b12f459cb80483fe0b885c74c313adbf5af2a0b182e4f5d4786b1
    • Opcode Fuzzy Hash: 6e4c5c6b6d185140ca64f330d229c4bae651b3bc3ca60c47b554df0f6da724cf
    • Instruction Fuzzy Hash: 1E718A21E0C74385FB64AF25A8442BD36A0AF91758F94467BD50EC7BE2EF7CB4A18701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD81D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr
    • String ID:
    • API String ID: 1497570035-0
    • Opcode ID: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
    • Instruction ID: bdf77066e8b96b062c5202ea020969b60e6c78d928af59e2fe0a4ada225d27ad
    • Opcode Fuzzy Hash: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
    • Instruction Fuzzy Hash: 52C1E422A0D68386EA54AF16A4502BD67A0FFC5798F084537EA5EC77D6EF3CE4608700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
    • Instruction ID: f2fd06483cc5d0069e62538f3fcd03786e6969ea51ef4bef5be0e97732ac5b88
    • Opcode Fuzzy Hash: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
    • Instruction Fuzzy Hash: 56A13561B1839241EE649F6694142BEA291EF45BE8F444337EEAEC77C4EE3CE465C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD6BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FDCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDA6
      • Part of subcall function 00007FF6D9FDCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDBD
    • _pipe.MSVCRT ref: 00007FF6D9FD6C1E
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FD6CD1
    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6D9FD6CFB
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heapwcschr$AllocateDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
    • String ID:
    • API String ID: 1037144754-0
    • Opcode ID: 5cd10cc880c9efa22f02b238c7b986dae6fee2c2e7af1ecbe2869c05f18fdff7
    • Instruction ID: e7dc20f6c5d2e33bd0281b056e18d8551adaa181abc40c1a00519117d7803cd6
    • Opcode Fuzzy Hash: 5cd10cc880c9efa22f02b238c7b986dae6fee2c2e7af1ecbe2869c05f18fdff7
    • Instruction Fuzzy Hash: F4718C31A0864287E754AF25D8440BC76A2FF89768F14823ADA5DDB3E6DF3CE861C701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CurrentDebugDebuggerOutputPresentStringThread
    • String ID:
    • API String ID: 4268342597-0
    • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
    • Instruction ID: 3f7d65b4a241f8098224024250ef272c863ec2e6babe9310c9a605fba595121c
    • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
    • Instruction Fuzzy Hash: BD813922A0CB8681EB659F26A44423D77A4FB49B88F18417BCE4D877A5DF3CE469C701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$ErrorFileFindFirstLast
    • String ID:
    • API String ID: 2831795651-0
    • Opcode ID: 638df73a00ca543e65087d6208835b8c015977170cf38772a4d9fd7cf800cb00
    • Instruction ID: 612993a8cfce6be3f6c5fe91a84b652bc38415072fefdb437428262a0120a7ed
    • Opcode Fuzzy Hash: 638df73a00ca543e65087d6208835b8c015977170cf38772a4d9fd7cf800cb00
    • Instruction Fuzzy Hash: 47D1C276A0868286EB64DF25E4502BE77A1FB84B98F105136DE8EC7798DF3CE561C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD7D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 00007FF6D9FD7DA1
      • Part of subcall function 00007FF6D9FE417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FE41AD
      • Part of subcall function 00007FF6D9FDD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD46E
      • Part of subcall function 00007FF6D9FDD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD485
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD4EE
      • Part of subcall function 00007FF6D9FDD3F0: iswspace.MSVCRT ref: 00007FF6D9FDD54D
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD569
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD58C
    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6D9FD7EB7
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
    • String ID:
    • API String ID: 168394030-0
    • Opcode ID: 0e98079df390ebc712ea752efcb5069782c59026a64ae7b96eff119acfe59c53
    • Instruction ID: 5a6bae3cd46eade2d51230de0c3112bc2752b3db1bac1bb3706a704ae89a33b1
    • Opcode Fuzzy Hash: 0e98079df390ebc712ea752efcb5069782c59026a64ae7b96eff119acfe59c53
    • Instruction Fuzzy Hash: D7A1A161B1C68385FB64DF2698502BE23A1BF85788F444136DA5EC7BE5DF3CE8658700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FileInformation$HandleQueryVolume
    • String ID:
    • API String ID: 2149833895-0
    • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
    • Instruction ID: 8f3c46e3f58cf5234f72623df677c71e4898006d8b7bad8f9239bd644fac7511
    • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
    • Instruction Fuzzy Hash: B011513260C6C286E7609F51F4447AEB7A0FB44B48F445532DA9D83A55DFBCD458DB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD8510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FDD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD46E
      • Part of subcall function 00007FF6D9FDD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD485
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD4EE
      • Part of subcall function 00007FF6D9FDD3F0: iswspace.MSVCRT ref: 00007FF6D9FDD54D
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD569
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD58C
    • towupper.MSVCRT ref: 00007FF6D9FD85D4
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heap$AllocProcessiswspacetowupper
    • String ID:
    • API String ID: 3520273530-0
    • Opcode ID: 35085f02699a6dda62df14e5b2a3ae78ae89d6808dccd4382872d68b1f214e0d
    • Instruction ID: b7c4d31f9e074d67d3f8d63d62ff2b466fa4b4a688129546a019375c28b31bd6
    • Opcode Fuzzy Hash: 35085f02699a6dda62df14e5b2a3ae78ae89d6808dccd4382872d68b1f214e0d
    • Instruction Fuzzy Hash: 8661BC22A0C24286F7A59F25E50537D36A0FF85768F448537EA1ED73D5DF3CA8A48311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE93B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE93BB
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
    • Instruction ID: 7533ae83e10c953f1786cb085b85f09b2cb3280889912df47a488510ae95c1cc
    • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
    • Instruction Fuzzy Hash: B9B01250F2A403D1D609AF32DC8506912A47F5C711FC00473C00EC2170DE1C92FBC700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$iswspacewcschr
    • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
    • API String ID: 840959033-3627297882
    • Opcode ID: 90d0da749b6f36b650c7a119ec94b7cfa78334432448a2a31f5fb3e9199c4a7d
    • Instruction ID: 194ec4057355aad493aef35bfaf5f4c807b6c5a531e7d194b2b6b18e0da6f111
    • Opcode Fuzzy Hash: 90d0da749b6f36b650c7a119ec94b7cfa78334432448a2a31f5fb3e9199c4a7d
    • Instruction Fuzzy Hash: F4D15B21E0C64386FB20AF21E8452BD36A4FF85B48F985077DA4EC72A6DF3CE4258715
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$EnvironmentVariable
    • String ID: $P$G$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
    • API String ID: 198002717-3447537567
    • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
    • Instruction ID: 30954083d0a5a06d1e81373195f9564e4a47889057cb75597c4af662173219a0
    • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
    • Instruction Fuzzy Hash: 27511E25A0C74386F6205F12A81027DBBA4FF49B89F48A177DA4EC3756DF3CE1648749
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
    • String ID: "$=,;
    • API String ID: 3545743878-4143597401
    • Opcode ID: d71805be19a967498954a19d1c0bc42ca998deadd3f79298ca6fff5ee8fe42de
    • Instruction ID: fd16281784b4d3ffa7f61485c6ae44fa461103501428766cf3a07f3acca7e63f
    • Opcode Fuzzy Hash: d71805be19a967498954a19d1c0bc42ca998deadd3f79298ca6fff5ee8fe42de
    • Instruction Fuzzy Hash: BBC19C62A0D79282EB255F11D0003BD76E1FF89F48F459276DE5E83B94EF3CA465C201
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CurrentFormatMessageThread
    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
    • API String ID: 2411632146-3173542853
    • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
    • Instruction ID: 3b5072e2030e418310c182287efad40cf5e207d73bd22a043a0003f0cd0eae49
    • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
    • Instruction Fuzzy Hash: 2B617861A1DB4281EA24DFA2A4045BD67A4FF48B8CF44413BDE0D97B69DF3CE668C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CreateFile_open_osfhandle
    • String ID: con
    • API String ID: 2905481843-4257191772
    • Opcode ID: 6867a702499016eaea53a9a4f878e431644baeefb259e0b43649b3c41a2578e5
    • Instruction ID: cf16c7acc25877da3c2cbff80538116d82d3c979b89b62572cae0e244fb61470
    • Opcode Fuzzy Hash: 6867a702499016eaea53a9a4f878e431644baeefb259e0b43649b3c41a2578e5
    • Instruction Fuzzy Hash: 1371A432A0C6828AE7218F15E4406BDBAA4FB89B65F544236DE6EC37D4DF3CD459CB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
    • String ID:
    • API String ID: 3829876242-3916222277
    • Opcode ID: c372b69739eb2f0c12a22be7621393de33855a61faa155eebe16cc32798ef8d9
    • Instruction ID: 2357e1fad17bd7b61555ca4b4c7cf4136f690f193074bd8d2d24e31c51291f89
    • Opcode Fuzzy Hash: c372b69739eb2f0c12a22be7621393de33855a61faa155eebe16cc32798ef8d9
    • Instruction Fuzzy Hash: 5761C436A0864287EA259F12D40427E77A4FFC9B98F498136DE0E87795DF3CE858CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA001A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
    • String ID: CSVFS$NTFS$REFS
    • API String ID: 3510147486-2605508654
    • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
    • Instruction ID: 0c31d9ff629a9b95f861f58390ffa597f0e5f7873d061f6a976f3b116cf6d280
    • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
    • Instruction Fuzzy Hash: EA616B32708BC28AEB618F22D8447E977A4FB49B88F458076CA0D8B799DF7CD254C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
    Download Yara Rule
    APIs
    • longjmp.MSVCRT(?,00000000,00000000,00007FF6D9FD7279,?,?,?,?,?,00007FF6D9FDBFA9), ref: 00007FF6D9FF4485
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: longjmp
    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
    • API String ID: 1832741078-366822981
    • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
    • Instruction ID: df85b5cfc8ec1461b48c8b006d96b4e2a1222388ecd85bdb895deace925e40f4
    • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
    • Instruction Fuzzy Hash: 75C1BE61E0C68381E728DF1691986BC2392AF86B8CF944037DD4DDB792CF2DE56AC300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDB998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heapwcschr$AllocateProcessmemset
    • String ID: -$:.\$=,;$=,;+/[] "
    • API String ID: 2060774286-969133440
    • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
    • Instruction ID: 33be51137617a514abec0e3931cf3dac171cfe40fbcd5470036dc4d93656242d
    • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
    • Instruction Fuzzy Hash: BDB1B122A0DB8285FA709F15948427D63A1FF88BA5F954237DA5EC37E4DF3CE8658300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA0003AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$ErrorLast$InformationVolume
    • String ID: %04X-%04X$~
    • API String ID: 2748242238-2468825380
    • Opcode ID: 781cf90ddf0ffbbdddcc98e6ef54cce46e5ed54377f9fc63b4e3b7b6eb5e65df
    • Instruction ID: aefe37b432cfd61211d548dc33c4736f1579fd40d377230350cad07d3bedd5eb
    • Opcode Fuzzy Hash: 781cf90ddf0ffbbdddcc98e6ef54cce46e5ed54377f9fc63b4e3b7b6eb5e65df
    • Instruction Fuzzy Hash: C1A19E6270CBC28AEB258F21D8502EE77A5FB85789F408076DA4D8BB99DF3CD655C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswdigit$_errnoiswalphawcschrwcstol
    • String ID: +-~!$APerformUnaryOperation: '%c'
    • API String ID: 2348642995-441775793
    • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
    • Instruction ID: 15de014a05f2bfe88c7af2ae1e3d6536108b3d457b581c387ee5140fc1563fbf
    • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
    • Instruction Fuzzy Hash: 16717872E08A4A86E7615F21D41017DB7A0FB89B98F58C033DA9EC7295EF3CA4A4C715
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
    • String ID: FAT$~
    • API String ID: 2238823677-1832570214
    • Opcode ID: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
    • Instruction ID: e69f74a2c3ccf0a7a9292e08b3b7d20e02b8fc3d03b10c8f019f686e9edaebb7
    • Opcode Fuzzy Hash: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
    • Instruction Fuzzy Hash: EF716932609BC28AEB318F21D8506EE77A4FB85789F448076DA4D8BB59DF3CD255C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDD840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6D9FDFE2A), ref: 00007FF6D9FDD884
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6D9FDFE2A), ref: 00007FF6D9FDD89D
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6D9FDFE2A), ref: 00007FF6D9FDD94D
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6D9FDFE2A), ref: 00007FF6D9FDD964
    • _wcsnicmp.MSVCRT ref: 00007FF6D9FDDB89
    • wcstol.MSVCRT ref: 00007FF6D9FDDBDF
    • wcstol.MSVCRT ref: 00007FF6D9FDDC63
    • memmove.MSVCRT ref: 00007FF6D9FDDD33
    • memmove.MSVCRT ref: 00007FF6D9FDDE9A
    • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6D9FDFE2A), ref: 00007FF6D9FDDF1F
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
    • String ID:
    • API String ID: 1051989028-0
    • Opcode ID: 9d997d91bc460dae83d081792f82bd463826601465a4caebf3eeed494a632e9a
    • Instruction ID: 4d50c9e9ca6c9b577cb410cb270607fc960b83e5abea3e21271842d9301cf436
    • Opcode Fuzzy Hash: 9d997d91bc460dae83d081792f82bd463826601465a4caebf3eeed494a632e9a
    • Instruction Fuzzy Hash: DE029F72A0DB8282EB249F15E44027E77A5FB85B98F558332DA8D87B94DF3CE061C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$_wcsicmp$AllocProcess
    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
    • API String ID: 3223794493-3086019870
    • Opcode ID: 1b9e9a1fb0b62af167df92eeb5291d00af7ef6c8e61fb06bb5c7810779a96032
    • Instruction ID: d498568c377e4cd3db2ccf4137d777c5e7c519d1b01484b587b65ad8ccea87df
    • Opcode Fuzzy Hash: 1b9e9a1fb0b62af167df92eeb5291d00af7ef6c8e61fb06bb5c7810779a96032
    • Instruction Fuzzy Hash: 48517E25A0CB438AEA158F16A8501BD7BA0FF49B98F584576CA5EC73A2DF3CE465C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE2B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
    • API String ID: 0-3124875276
    • Opcode ID: b745fbc9bdecc4fead9b427a37718483e4c547d64fc83d89c1805cbb2eee3cf9
    • Instruction ID: c7514ba7ba45d55675f5f1e780cdd62c5481377be50f4f2376b5bfad0b96a0f6
    • Opcode Fuzzy Hash: b745fbc9bdecc4fead9b427a37718483e4c547d64fc83d89c1805cbb2eee3cf9
    • Instruction Fuzzy Hash: A0517B20E0C64386FB249F25E8042BD37A6EF45B49F408077CA4EC72A6EF7CA4698745
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDFC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
    • String ID: 0123456789
    • API String ID: 1606811317-2793719750
    • Opcode ID: e40b2a327a299dd0e466262e2513d9586320006c609d662f0b5b9f1fab087ccd
    • Instruction ID: 92c39027f30268a1da3409f6bbff28c9e5235751ff089bafe52ce83f886b440e
    • Opcode Fuzzy Hash: e40b2a327a299dd0e466262e2513d9586320006c609d662f0b5b9f1fab087ccd
    • Instruction Fuzzy Hash: 9FD18C25A1CA4382EA108F25A8406BD77A0FF85798F884277DA5DC77A6EF3CE425C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
    • String ID: \\.\
    • API String ID: 799470305-2900601889
    • Opcode ID: 54d19c3779d548040f92f3520906801ddb16aa6d7fde4edd6d52b252c225e034
    • Instruction ID: d17ec2f06ec9934a233a5f50b479d1ce2ddeae222a2a9d482839bda354ab80fc
    • Opcode Fuzzy Hash: 54d19c3779d548040f92f3520906801ddb16aa6d7fde4edd6d52b252c225e034
    • Instruction Fuzzy Hash: 0D51A232B09B8286EB618F21E8002BD77A4FB89B94F498537DA4ECB795DF3CD5558700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
    • String ID:
    • API String ID: 1944892715-0
    • Opcode ID: 3b8946a33086edb33030d5444c24fecad3efc8509d9ed6e2406bfcb5b6270845
    • Instruction ID: 37c6497138a926551e477e489e2d2ea79bee3ee158425c210ed4bb1ce442b7b7
    • Opcode Fuzzy Hash: 3b8946a33086edb33030d5444c24fecad3efc8509d9ed6e2406bfcb5b6270845
    • Instruction Fuzzy Hash: 8BB17C61A09743CAEA659F12A8501BD76A0FF99B85F588937CA4EC73D1EF7CE460C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE3578: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3584
      • Part of subcall function 00007FF6D9FE3578: GetFileType.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE359C
      • Part of subcall function 00007FF6D9FE3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35C3
      • Part of subcall function 00007FF6D9FE3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35D9
      • Part of subcall function 00007FF6D9FE3578: GetConsoleMode.KERNELBASE(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE35ED
      • Part of subcall function 00007FF6D9FE3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6D9FD32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6D9FE3602
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FD54DE
    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6D9FD1F7D), ref: 00007FF6D9FD552B
    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6D9FD1F7D), ref: 00007FF6D9FD554F
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FF345F
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6D9FD1F7D), ref: 00007FF6D9FF347E
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6D9FD1F7D), ref: 00007FF6D9FF34C3
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FF34DB
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6D9FD1F7D), ref: 00007FF6D9FF34FA
      • Part of subcall function 00007FF6D9FE36EC: _get_osfhandle.MSVCRT ref: 00007FF6D9FE3715
      • Part of subcall function 00007FF6D9FE36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6D9FE3770
      • Part of subcall function 00007FF6D9FE36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE3791
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
    • String ID:
    • API String ID: 1356649289-0
    • Opcode ID: 979cfed9b7e49896089137fee2950bcbc78046ff4176823b72def202f83e2622
    • Instruction ID: abaf7b78fd69be36f970ae6bed7c01ffadf4438350ad8e1aecda856efc1d9def
    • Opcode Fuzzy Hash: 979cfed9b7e49896089137fee2950bcbc78046ff4176823b72def202f83e2622
    • Instruction Fuzzy Hash: 04919132A086438BEB249F21E40017DB7A5FB89B88F584176DA4E87795DF7CE468CB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleTitlewcschr
    • String ID: /$:
    • API String ID: 2364928044-4222935259
    • Opcode ID: d29fa59355cffc5306ca18f9cd167c37574d9aebd702a778799a5a4d83468f83
    • Instruction ID: ba89529ce11c9320f472e547fe300b7d345774bccfc525c6cbfbc15e59d5ee53
    • Opcode Fuzzy Hash: d29fa59355cffc5306ca18f9cd167c37574d9aebd702a778799a5a4d83468f83
    • Instruction Fuzzy Hash: 4EC1BC62E0C64281FB64AF25D4546BD62A2EF91B98F449133DA1EC73E1EF3CE860D301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: LocalTime$ErrorLast_get_osfhandle
    • String ID: %s$/-.$:
    • API String ID: 1644023181-879152773
    • Opcode ID: 1c267f07557e1e8594cfee3140c6f6e344d5dd92c4012508e119af3b8928d48f
    • Instruction ID: 936aceaac8b3e7266289be5747492bd89caf00e516fdfa4405b425b9e86612f2
    • Opcode Fuzzy Hash: 1c267f07557e1e8594cfee3140c6f6e344d5dd92c4012508e119af3b8928d48f
    • Instruction Fuzzy Hash: F491AD22B4864295EB209F25D4402BE66A0FF85B98F848937DA4FC76D5EE3CE569C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6D9FF7251), ref: 00007FF6D9FF628E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ObjectSingleWait
    • String ID: wil
    • API String ID: 24740636-1589926490
    • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
    • Instruction ID: 54ff3936760184fa419c6bc0956a345c10cb63784116ac03cd0a0d4d4cee1e17
    • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
    • Instruction Fuzzy Hash: 08414D21A0C54B83F7204F11E40027D66A1EF86799F649172E94AC7B95DF3DE86DC701
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFCDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
    • String ID: $Application$System
    • API String ID: 3377411628-1881496484
    • Opcode ID: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
    • Instruction ID: b6aaee8fc698f012c9febb3cc9974833d1131e9832774c167343c75de3d9ffee
    • Opcode Fuzzy Hash: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
    • Instruction Fuzzy Hash: 7B416932B18B429AE7209F61E4403ED7BA5FB89748F445176DA4E83B99EF3CD119C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD14E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
    • String ID: :$\
    • API String ID: 3961617410-1166558509
    • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
    • Instruction ID: 95b9e474e42a57e4d8edc85067bde8d3bd297c63241268c63d3cc64f01756b90
    • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
    • Instruction Fuzzy Hash: 9421A122B1CA83C6E7645F61A44417DBAA1FF89B95F448673DA1FC3790DF3CD4648601
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CreateDirectoryDriveFullNamePathTypememset
    • String ID:
    • API String ID: 1397130798-0
    • Opcode ID: 2f866f744eda2d375aa2d8cb453d95d81c4802dc249533727c77acd7fb7658c8
    • Instruction ID: f00d474968842e1ad0c312b6571ab8cec6e12ac8c64813e3b02c3099b076a8e5
    • Opcode Fuzzy Hash: 2f866f744eda2d375aa2d8cb453d95d81c4802dc249533727c77acd7fb7658c8
    • Instruction Fuzzy Hash: F89193A2B09B8286EB758F11D4402BD73A5FF88B85F458136EA8EC7794DF3CE9518700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06D6
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06F0
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE074D
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE0762
    • _wcsicmp.MSVCRT ref: 00007FF6D9FE25CA
    • _wcsicmp.MSVCRT ref: 00007FF6D9FE25E8
    • _wcsicmp.MSVCRT ref: 00007FF6D9FE260F
    • _wcsicmp.MSVCRT ref: 00007FF6D9FE2636
    • _wcsicmp.MSVCRT ref: 00007FF6D9FE2650
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$Heap$AllocProcess
    • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
    • API String ID: 3407644289-1668778490
    • Opcode ID: 6b20a7c0308f2f6d4956041ee9f3b19beb2519d0e51fe48ee44493608e18250d
    • Instruction ID: d325c54206df9dd9a6443f3df8c1d1422f211f7fdef6e54c22ca3274f4f0a885
    • Opcode Fuzzy Hash: 6b20a7c0308f2f6d4956041ee9f3b19beb2519d0e51fe48ee44493608e18250d
    • Instruction Fuzzy Hash: 16314F61A1C64386F7256F21E8113BD6694EF84B88F448177DA4EC72E6EF3CE424C715
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA000C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
    • String ID: &()[]{}^=;!%'+,`~
    • API String ID: 2516562204-381716982
    • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
    • Instruction ID: 042f4e85c40e77dabd2af13bf3c81630662aff8f8609af54c469d1ef80bab6d5
    • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
    • Instruction Fuzzy Hash: A9C1B232A1879286E7648F26E84027E77A1FB44B98F445136EE8D83B99DF3CE461D704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FDD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD46E
      • Part of subcall function 00007FF6D9FDD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD485
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD4EE
      • Part of subcall function 00007FF6D9FDD3F0: iswspace.MSVCRT ref: 00007FF6D9FDD54D
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD569
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD58C
    • iswspace.MSVCRT ref: 00007FF6D9FE7EEE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heapiswspace$AllocProcess
    • String ID: A
    • API String ID: 3731854180-3554254475
    • Opcode ID: cbbec4da78b9c0bcd8cfdbfb7eb308b7a7d6a14b45e0d18e4a5b6038242856f5
    • Instruction ID: fc6ee03b1b29444894a4b2d0f8a7aa92beb754b3984b5723b25019d12dcba709
    • Opcode Fuzzy Hash: cbbec4da78b9c0bcd8cfdbfb7eb308b7a7d6a14b45e0d18e4a5b6038242856f5
    • Instruction Fuzzy Hash: 97A18E21A0D68386EB609F11E85027DB7A0FF45798F048176DA8DC77A6EF3CE465DB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: MemoryProcessRead$AddressLibraryLoadProc
    • String ID: NTDLL.DLL$NtQueryInformationProcess
    • API String ID: 1580871199-2613899276
    • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
    • Instruction ID: 5caa1d64c3254c46c019a3c673878de8f18008f2397641423b8c98b8c6906535
    • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
    • Instruction Fuzzy Hash: B1519476A18B8286EB208F16E84027D77A4FF88F88F445176DA5E83B55EF3CD125C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
    • String ID: con
    • API String ID: 689241570-4257191772
    • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
    • Instruction ID: a252ae5aed31ad1699e78da38442d2307f012ebd9401c89b7b099121d945ba9b
    • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
    • Instruction Fuzzy Hash: FE41C432A0864687E3208F15944437DBAA5FB89BA8F658336DA6D873D0CF3DD859C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
    • String ID: PE
    • API String ID: 2941894976-4258593460
    • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
    • Instruction ID: 73891730465bb20c50727995d61d07130aa5db6e138801ef401fcf7df435f283
    • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
    • Instruction Fuzzy Hash: 3F41697260865287E6209F11E45067DBBA0FBC9B94F444132DE5D83B95FF3CE469CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
    Download Yara Rule
    APIs
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6D9FF849D,?,?,?,00007FF6D9FFF0C7), ref: 00007FF6D9FE0045
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6D9FFF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6D9FFE964), ref: 00007FF6D9FE0071
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE0092
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6D9FE00A7
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE0148
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6D9FE0181
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
    • String ID:
    • API String ID: 734197835-0
    • Opcode ID: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
    • Instruction ID: 562e40dbd6cfac8dc468b76e40c413bb66b03832817c14e53d1a0ee426c7997a
    • Opcode Fuzzy Hash: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
    • Instruction Fuzzy Hash: F9618036A0C69386E7258F25A80437D7AA1FB46B48F488277DD9EC7791DF3CA465C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Enum$Openwcsrchr
    • String ID: %s=%s$.$\Shell\Open\Command
    • API String ID: 3402383852-1459555574
    • Opcode ID: 525d1a7a22f625536f812f4559a32cd03a6fb8b63cc25c933afa18de369c566e
    • Instruction ID: 7c3815c5750d8043f3d32df01983d9bbb4a88f43d2f4869f0d71fad276caab5a
    • Opcode Fuzzy Hash: 525d1a7a22f625536f812f4559a32cd03a6fb8b63cc25c933afa18de369c566e
    • Instruction Fuzzy Hash: 87A1C462A0C74282EE119F55D0502BE63A0FF85B98F944537DA4D87BD5EF7CE9A9C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$wcscmp
    • String ID: %s
    • API String ID: 243296809-3043279178
    • Opcode ID: 44f0c51c5f4366950aa2e9ddfdc4d68a7a2ef5c9fa26bc065f037a37bf0143dd
    • Instruction ID: cb5495344b0867b7f3c5c16240073a724c65b8945654c9d7e92584428cfdca27
    • Opcode Fuzzy Hash: 44f0c51c5f4366950aa2e9ddfdc4d68a7a2ef5c9fa26bc065f037a37bf0143dd
    • Instruction Fuzzy Hash: A5A15A22B0968696EB75DF21D8403FD23A1FB49748F144136DA9ECB695EF3CE664C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$EnvironmentVariable
    • String ID: DIRCMD
    • API String ID: 1405722092-1465291664
    • Opcode ID: 07ed24d3f9858967d8773748a1b845eb6e6d892857c645de86590165c90f9600
    • Instruction ID: 50b46456fb6e0d192367aa1b139f52c98f69bf627af854eb9f42962a1af08b15
    • Opcode Fuzzy Hash: 07ed24d3f9858967d8773748a1b845eb6e6d892857c645de86590165c90f9600
    • Instruction Fuzzy Hash: 73816E72A18BC28AEB20DF61E8802ED37A5FB89748F14413ADB8D97B59DF38D155C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
    • String ID: FOR$ IF
    • API String ID: 557945885-2924197646
    • Opcode ID: 9fbc3e5bcf3e94118a1bc0a9f9aa5fee9472dcf9e4a7545975834e3c01b17498
    • Instruction ID: 736846286bf45f6248873b557adf9d0579de5d4fa9c593a0516a0ed02b6993fd
    • Opcode Fuzzy Hash: 9fbc3e5bcf3e94118a1bc0a9f9aa5fee9472dcf9e4a7545975834e3c01b17498
    • Instruction Fuzzy Hash: DC518D21B0E64781FE29AF16945027D2791EF85BA5F484236D91EC77D1DE3CF9628300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDF173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswdigit$iswspacewcschr
    • String ID: )$=,;
    • API String ID: 1959970872-2167043656
    • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
    • Instruction ID: a88c6f34b163c9985b080134b21f7aa739d7df5b584231ad4253e352114d3a70
    • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
    • Instruction Fuzzy Hash: DD419B66F2C25386FB648F12E90477D36A0AF91759F849037CA8CC33A0EF3CA4A18705
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorLast$InformationVolumeiswalphatowupper
    • String ID: %04X-%04X$:
    • API String ID: 930873262-1938371929
    • Opcode ID: 978e31d94f6f2106114982db72c5995a26a20c8019cabdbd394f6a877edec6b5
    • Instruction ID: 4a4303612995fcbe0c35fa171825c4539ee599024a21c8f5c20af9ac351a9ad8
    • Opcode Fuzzy Hash: 978e31d94f6f2106114982db72c5995a26a20c8019cabdbd394f6a877edec6b5
    • Instruction Fuzzy Hash: 21417031A0CA8382EB209F61E4452BE6360FB85759F404177DA4DC36D6DF7CE568C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
    • String ID: $P$G
    • API String ID: 3249344982-2079915088
    • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
    • Instruction ID: 33f9d925f02576d872e628617ecb953a61af6a6efde0f0163d80021dc7e7b12e
    • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
    • Instruction Fuzzy Hash: 27414F7261CB4286E3108F12A84477EBAE4FB49BD8F448276DA4D87795DF7CD0658B04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswdigit
    • String ID: +-~!$<>+-*/%()|^&=,
    • API String ID: 2770779731-632268628
    • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
    • Instruction ID: 5063252431fbd1830017e5ca6a14c05b39f2f2fbeffea0bf69f48c9d94c349ea
    • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
    • Instruction Fuzzy Hash: A5312826A08E5AC5EA649F02E45027D76A0FB89F89B458077DA5EC3395EF3CE424C304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
    • String ID:
    • API String ID: 3192234081-0
    • Opcode ID: 70e582d2ff1694b1eb8906732218cc539a96d111935978aaaa65a21b5ca98f21
    • Instruction ID: 92a808f2d571ae7cac83d901c08e07a1e37a97c58ed139818a45fd3b03c6f41f
    • Opcode Fuzzy Hash: 70e582d2ff1694b1eb8906732218cc539a96d111935978aaaa65a21b5ca98f21
    • Instruction Fuzzy Hash: 9331B631B08642CBE7209F22E40467DBB91FB8AB99F449235DE8A87795CF3CD415CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE1673
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE168D
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE1757
    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE176E
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE1788
    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6D9FE14D6,?,?,?,00007FF6D9FDAA22,?,?,?,00007FF6D9FD847E), ref: 00007FF6D9FE179C
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$Alloc$Size
    • String ID:
    • API String ID: 3586862581-0
    • Opcode ID: 3196afb9ea3d41201a8166459e9d0438d87d531f6b60091101265a9fd18966e8
    • Instruction ID: ca2cf3433f2b0adaa0a06bdc948655d53da585fbad0ba51494a7ee02d45661f7
    • Opcode Fuzzy Hash: 3196afb9ea3d41201a8166459e9d0438d87d531f6b60091101265a9fd18966e8
    • Instruction Fuzzy Hash: 53916C65A09B5681EB218F16E4803BD76A0FB48B98F598237DE5DC77A1EF3CE461C304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
    • String ID:
    • API String ID: 920682188-0
    • Opcode ID: 72aab322a4609a9c908fc99101459a8672872acad55ba8d77b7613640cd03a1d
    • Instruction ID: 38b3d8dfe5a7c360835a33630ea489b662b86d86501d1cfdb6f71bafe160e68f
    • Opcode Fuzzy Hash: 72aab322a4609a9c908fc99101459a8672872acad55ba8d77b7613640cd03a1d
    • Instruction Fuzzy Hash: 02513736609B818AEB25DF21D8542EC77A4FB89B48F048076CA4D87755EF3CD669C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswdigit$iswspacewcschr
    • String ID: )$=,;
    • API String ID: 1959970872-2167043656
    • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
    • Instruction ID: b36fcf560e837b1d138d7c8201e934d5f9ae40f9547050f4cff6ca0e360a8818
    • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
    • Instruction Fuzzy Hash: CB41A965F2C21386FB644F12E9087BD36A0AF91749F945077C98DC32A0EF3CA4B18A05
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmpfprintfwcsrchr
    • String ID: CMD Internal Error %s$%s$Null environment
    • API String ID: 3625580822-2781220306
    • Opcode ID: 3cdfeede7ea9cb233e656df7c73d074badb7d386eaab989116ed0f8eb977d474
    • Instruction ID: 44903e2097865305647945168b999252804c69ebc8d1573dbddfcc8dfb1376de
    • Opcode Fuzzy Hash: 3cdfeede7ea9cb233e656df7c73d074badb7d386eaab989116ed0f8eb977d474
    • Instruction Fuzzy Hash: C431D021A0C64792EE289F42E5001BE72A4FF45B9CF444136CE2D977E6EE3CE4A9C304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memsetwcsspn
    • String ID:
    • API String ID: 3809306610-0
    • Opcode ID: 57a5787843a69364694d2dc292972d812e039d942152acd4f4fca5a99e460c4a
    • Instruction ID: 42347800a612a4b73b3e1a8106f55cd209b8b671f2082e082f54b4c2a3780211
    • Opcode Fuzzy Hash: 57a5787843a69364694d2dc292972d812e039d942152acd4f4fca5a99e460c4a
    • Instruction Fuzzy Hash: 70B17F72A08B8686EA51CF15E4906BD77A0FB85B84F858033DA4EC7795EF7DE861C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswdigit$wcstol
    • String ID:
    • API String ID: 3841054028-0
    • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
    • Instruction ID: 8fe2e31b6377e233b00a512f0c81ad02c6637499511b4253e62037736019bd2d
    • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
    • Instruction Fuzzy Hash: 7151C526A0865382EB649F16D4001BD76A1FF69B58F458633DE5EC3AD4EF3CE466C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD5984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FF3687
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6D9FD260D), ref: 00007FF6D9FF36A6
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6D9FD260D), ref: 00007FF6D9FF36EB
    • _get_osfhandle.MSVCRT ref: 00007FF6D9FF3703
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6D9FD260D), ref: 00007FF6D9FF3722
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$Write_get_osfhandle$Mode
    • String ID:
    • API String ID: 1066134489-0
    • Opcode ID: 2a240abe1de52d061e59be031b55d9e6e9a28d534bea7de0be598d79ad0bcc1b
    • Instruction ID: 197cdbc4f0a83d8cc73beaaaa9dc858606b9caec0f49b10de6e31c94f369eba9
    • Opcode Fuzzy Hash: 2a240abe1de52d061e59be031b55d9e6e9a28d534bea7de0be598d79ad0bcc1b
    • Instruction Fuzzy Hash: 7551AF62B0C64387EA245F22A40457EA691FF84BD8F084476DE1EC7795EFBCE468CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$DriveErrorInformationLastTypeVolume
    • String ID:
    • API String ID: 850181435-0
    • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
    • Instruction ID: 9b9da767a6240c0e211e6dac13439da6e5062ca80634d1bb91618df54a69c468
    • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
    • Instruction Fuzzy Hash: B3416A32608BC1CAE7718F21D8442ED77A4FB89B49F494536DA4D8BB48CF38D695C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
    • String ID: KEYS$LIST$OFF
    • API String ID: 411561164-4129271751
    • Opcode ID: 7ad00a9c86f77bb16093b9e442d0c3b03c89383a104a9bcf3af4e47923f87761
    • Instruction ID: 5fd899c20df951e643cd1964ae93e6bf9371dee720170e571b33e69918ab3300
    • Opcode Fuzzy Hash: 7ad00a9c86f77bb16093b9e442d0c3b03c89383a104a9bcf3af4e47923f87761
    • Instruction Fuzzy Hash: 4B213D21E0CA0396F7549F26E84117D66A1EF847A9F509273CB1EC72E6EF7CA468C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE9584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 4104442557-0
    • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
    • Instruction ID: 17e0e229e0317fa41d7064245191b9f9e1f0ccdee393b668857bf58d16a06b3e
    • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
    • Instruction Fuzzy Hash: 08115122608B428BEB10DF61E8452AC33A8FB1975CF440A36EA6D87B55DF7CD1A48344
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6D9FF71F9
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FF720D
    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6D9FF7300
      • Part of subcall function 00007FF6D9FF5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6D9FF75C4,?,?,00000000,00007FF6D9FF6999,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF5744
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: OpenSemaphore$CloseErrorHandleLast
    • String ID: _p0$wil
    • API String ID: 455305043-1814513734
    • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
    • Instruction ID: 27190b57c3129f20705f67223275b3d86d538c60cad4d471a450aa39c4665cb2
    • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
    • Instruction Fuzzy Hash: 4D61D362B1968285EF25CF6598102BDA3A1FF88B88F544433DA4E87795EF3CE529C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD1DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heapiswspacememset$AllocProcess
    • String ID: %s
    • API String ID: 2401724867-3043279178
    • Opcode ID: 0e8decf08ffcf42e36446defa7b9fc8eaea003f80f69816cc42936f12a4f8683
    • Instruction ID: 8886efa80d7b01e74966dffcf63ca8a1ae363a37b408a5466081afced4e348ed
    • Opcode Fuzzy Hash: 0e8decf08ffcf42e36446defa7b9fc8eaea003f80f69816cc42936f12a4f8683
    • Instruction Fuzzy Hash: C3517E72B0968286EB218F21D8502BD73A0EB89B98F484176DA5DCB795EF3CE565C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswdigit
    • String ID: GeToken: (%x) '%s'
    • API String ID: 3849470556-1994581435
    • Opcode ID: 6f2266824f556b61efcee7c2a2893d7da7f07ebce486ed85b38b9357e29a252f
    • Instruction ID: a23a8855d200afe2a46fa9d6065e08542043ba8b1f68b2c28771978e8150bd7c
    • Opcode Fuzzy Hash: 6f2266824f556b61efcee7c2a2893d7da7f07ebce486ed85b38b9357e29a252f
    • Instruction Fuzzy Hash: 45516532A0CA4286EB249F56A44427E7BA0FF95B58F408437DA4DC7391EF7DE8A4C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
    Download Yara Rule
    APIs
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FF9A10
    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FF9994
      • Part of subcall function 00007FF6D9FFA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA77A
      • Part of subcall function 00007FF6D9FFA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA839
      • Part of subcall function 00007FF6D9FFA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA850
    • wcsrchr.MSVCRT ref: 00007FF6D9FF9A62
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorLast$CloseEnumOpenwcsrchr
    • String ID: %s=%s$.
    • API String ID: 3242694432-4275322459
    • Opcode ID: 93cd8132ec43aa136fa1977c97fa5e218ef6435ae6b1180140c0b1f530de0a7c
    • Instruction ID: b61696781aa2e7b9fb67fd01a7daf688c3975e70f8224cb52d1a3818f327971c
    • Opcode Fuzzy Hash: 93cd8132ec43aa136fa1977c97fa5e218ef6435ae6b1180140c0b1f530de0a7c
    • Instruction Fuzzy Hash: 4F41A225B0D74386FE219F11A0502BD62A1FF867A8F544236DE5D877D6EE7CE4A9C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6D9FF54E6
    • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6D9FF552E
      • Part of subcall function 00007FF6D9FF758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6D9FF6999,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF75AE
      • Part of subcall function 00007FF6D9FF758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6D9FF6999,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF75C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorLast$CreateCurrentMutexProcess
    • String ID: Local\SM0:%d:%d:%hs$wil$x
    • API String ID: 779401067-630742106
    • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
    • Instruction ID: 91c5473343baedd0b6d627953ddb36c46af7019b94f4d7d7033b805785012496
    • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
    • Instruction Fuzzy Hash: 87516072A1CA8682EB219F51E4407FEA361EF84B8CF544033EA4DCBA55DE7CE519C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CurrentDirectorytowupper
    • String ID: :$:
    • API String ID: 238703822-3780739392
    • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
    • Instruction ID: 5e3a879f7ff5f04226dd77d0cfcbef3453e0d274955e04751b819d720bd71d0a
    • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
    • Instruction Fuzzy Hash: 9711045260C74185EB268F62A80427DB6A0EF49799F459137DD0DC7791DF3CD0518705
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD4C18 Relevance: 7.7, APIs: 5, Instructions: 163COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memsetwcsrchr$wcschr
    • String ID:
    • API String ID: 110935159-0
    • Opcode ID: 7f89d826d325d620df1b2fcc26921faad221c5699a8a27cefdce3e68956840aa
    • Instruction ID: ee179f787bff181f136049ce8a924e0375a0cbc51c44d366cc40b61f59250205
    • Opcode Fuzzy Hash: 7f89d826d325d620df1b2fcc26921faad221c5699a8a27cefdce3e68956840aa
    • Instruction Fuzzy Hash: B9518122B0978285FA319F1198147FD6295BB89BA8F484532CE5E8B7D5DF3CE566C200
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$CurrentDirectorytowupper
    • String ID:
    • API String ID: 1403193329-0
    • Opcode ID: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
    • Instruction ID: a336c245adbb443a3f99316853b43dd22ae2e995bcd7b8969337129e18864c9c
    • Opcode Fuzzy Hash: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
    • Instruction Fuzzy Hash: E151C126B0979685EB65DF21D8006BE77A0FF49798F458137CA1DC7698EF3CE9648300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD91C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 00007FF6D9FD921C
    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6D9FD93AA
      • Part of subcall function 00007FF6D9FD8B20: wcsrchr.MSVCRT ref: 00007FF6D9FD8BAB
      • Part of subcall function 00007FF6D9FD8B20: _wcsicmp.MSVCRT ref: 00007FF6D9FD8BD4
      • Part of subcall function 00007FF6D9FD8B20: _wcsicmp.MSVCRT ref: 00007FF6D9FD8BF2
      • Part of subcall function 00007FF6D9FD8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FD8C16
      • Part of subcall function 00007FF6D9FD8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FD8C2F
      • Part of subcall function 00007FF6D9FD8B20: wcschr.MSVCRT ref: 00007FF6D9FD8CB3
      • Part of subcall function 00007FF6D9FE417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FE41AD
      • Part of subcall function 00007FF6D9FE3060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF6D9FD92AC), ref: 00007FF6D9FE30CA
      • Part of subcall function 00007FF6D9FE3060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE30DD
      • Part of subcall function 00007FF6D9FE3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE30F6
      • Part of subcall function 00007FF6D9FE3060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE3106
    • wcsrchr.MSVCRT ref: 00007FF6D9FD92D8
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FD9362
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FD9373
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
    • String ID:
    • API String ID: 3966000956-0
    • Opcode ID: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
    • Instruction ID: baab95ee3614731f223c6d90366492c2bc9e60863b7587491d8bc8be48b47ad7
    • Opcode Fuzzy Hash: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
    • Instruction Fuzzy Hash: 90518C32A0A78286EB619F21D8503BD73A4FF89B98F044136DA4D87B95DF3CE5A1C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$_setjmp
    • String ID:
    • API String ID: 3883041866-0
    • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
    • Instruction ID: c72bb648f2ae633e504617547bd75084714dbfb7d4ea6b67e9fcd77b197963ee
    • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
    • Instruction Fuzzy Hash: 8F514A32A08B868AEB618F21D8503ED77A4EB89748F444176EA4DCBB49DF3CD655CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDB49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • _wcsicmp.MSVCRT ref: 00007FF6D9FDB4BD
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06D6
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06F0
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE074D
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE0762
    • _wcsicmp.MSVCRT ref: 00007FF6D9FDB518
    • _wcsicmp.MSVCRT ref: 00007FF6D9FDB58B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$_wcsicmp$AllocProcess
    • String ID: ELSE$IF/?
    • API String ID: 3223794493-1134991328
    • Opcode ID: 0034adf53437ebe6a267bb6454d80c232a79fbc284ac909260ddb0eac2ce684d
    • Instruction ID: f9a0a88a3c1c2bb1ffac5d09f4370232ff16967e7d6cd4f10ced25460606d3b6
    • Opcode Fuzzy Hash: 0034adf53437ebe6a267bb6454d80c232a79fbc284ac909260ddb0eac2ce684d
    • Instruction Fuzzy Hash: 47415721E0D74386FB65AF25A4113BE26A1AFC4759F98507BD90EC739AEF3DE4248700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$File_get_osfhandle$PointerReadlongjmp
    • String ID:
    • API String ID: 1532185241-0
    • Opcode ID: 74ac34f79dc729dfe9fabf90352e3cd61509ac7904d18460f6508b34cf2d1b9f
    • Instruction ID: dc2a31d4a969d3e422c99fe931681ae6899045eb79c3a6915ce874b1eb74c036
    • Opcode Fuzzy Hash: 74ac34f79dc729dfe9fabf90352e3cd61509ac7904d18460f6508b34cf2d1b9f
    • Instruction Fuzzy Hash: 7841F732A087528BE7149F21D44567D7AA1FB88B88F55853BEA0EC7795CF3CE859C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorFileLast$DeleteRead_get_osfhandle
    • String ID:
    • API String ID: 3588551418-0
    • Opcode ID: 3c6522b718a1d61b4de818cf2d479c220fced2fb809985683797a1d35ac47786
    • Instruction ID: f10e4fa8f21df851f2ad44610806bd35b7c709d54a5ac31a8af0f8ea96270663
    • Opcode Fuzzy Hash: 3c6522b718a1d61b4de818cf2d479c220fced2fb809985683797a1d35ac47786
    • Instruction Fuzzy Hash: EF419F32A0C643CBE7249F51A4842BDB661EF85B89F14813ADA4EC7796CF7CE8648740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorModememset$FullNamePath_wcsicmp
    • String ID:
    • API String ID: 2123716050-0
    • Opcode ID: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
    • Instruction ID: 391248221c2ec96eabc55045fb6a7105c3cf8068241ad4da86efccaa47f8f57e
    • Opcode Fuzzy Hash: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
    • Instruction Fuzzy Hash: 57417D32709BC68AEB729F25D8543ED2794EB49B8CF044135DA4D8BA99DF3CD258C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
    • String ID:
    • API String ID: 3114114779-0
    • Opcode ID: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
    • Instruction ID: 4a203907f67a0129a1272d3802bf86e29f64f7b3d2e545b928b0e395862289f1
    • Opcode Fuzzy Hash: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
    • Instruction Fuzzy Hash: 2B410636A09B46CAEB10CF65E8802AC37A5FB88B48F554136EA0D97B54DF38E426C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA77A
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA7AF
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA80E
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA839
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6D9FF9A82), ref: 00007FF6D9FFA850
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: QueryValue$CloseErrorLastOpen
    • String ID:
    • API String ID: 2240656346-0
    • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
    • Instruction ID: 2a64e71f33daeea9f1b4326aad9a98022e6000a9848d6dbd2cd61c013504d583
    • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
    • Instruction Fuzzy Hash: A8316D32A18B8286E7608F15E44057EB7A5FFC9794F944136EA8E83764EF3CD865CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFD0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE01B8: _get_osfhandle.MSVCRT ref: 00007FF6D9FE01C4
      • Part of subcall function 00007FF6D9FE01B8: GetFileType.KERNELBASE(?,?,?,00007FF6D9FEE904,?,?,?,?,00000000,00007FF6D9FE3491,?,?,?,00007FF6D9FF4420), ref: 00007FF6D9FE01D6
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FFD0F9
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6D9FFD10F
    • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6D9FFD166
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FFD17A
    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6D9FFD18C
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
    • String ID:
    • API String ID: 3008996577-0
    • Opcode ID: 775351d33c26abc02f1100cdbdeabd86f6200afad19b0e0b5f91a628eacd3d33
    • Instruction ID: c5a666b51ac85a09aa0d9bd4c5312d66ed8523199674fac2c3002a5198080f64
    • Opcode Fuzzy Hash: 775351d33c26abc02f1100cdbdeabd86f6200afad19b0e0b5f91a628eacd3d33
    • Instruction Fuzzy Hash: 99214926B18A428AF7109F71E8000BD77B0FB4DB49B445266EE0D93B99EF3CD054CB14
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6D9FFC9EE,?,?,?,00007FF6D9FFEA6C,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FE5CCB
    • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF6D9FFC9EE,?,?,?,00007FF6D9FFEA6C,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FE5CDF
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6D9FE5D03
    • fprintf.MSVCRT ref: 00007FF6D9FEF4A9
    • fflush.MSVCRT ref: 00007FF6D9FEF4C2
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
    • String ID:
    • API String ID: 1826527819-0
    • Opcode ID: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
    • Instruction ID: f20d0ef5fef028f63953b386cf27ec62bf69a4312f4f6778a8ced7f3e625524f
    • Opcode Fuzzy Hash: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
    • Instruction Fuzzy Hash: 37016D3190C6838AE614AF26E4451BDBFA1FF8A759F445172E64F833A2DF3C90A4C715
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CreateSemaphore
    • String ID: _p0$wil
    • API String ID: 1078844751-1814513734
    • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
    • Instruction ID: 089cfeebfaf513ff43b558270779dc3343fbfdebcfa5a0e4dcd973f6de3929d0
    • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
    • Instruction Fuzzy Hash: 37510662B1D78286EF268F95C4546BD7290EF84B98F944437DA4D8BB81EF3CE429C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA000774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$_wcslwr
    • String ID: [%s]
    • API String ID: 886762496-302437576
    • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
    • Instruction ID: cb5daf87e3d7779ebd7d7b4b9c94f159bbec6cae2bde87077109d7edc63f891f
    • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
    • Instruction Fuzzy Hash: 8B315932719B8285EB21DF22D8507ED67A0FB89B88F444176DA8D8BB55DF3CD2598700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswspace
    • String ID: off
    • API String ID: 2389812497-733764931
    • Opcode ID: 088d681940e04da477f785b2bbe99dbe59d8cc7102cbb33f94b164d50eee713f
    • Instruction ID: 4c422c1200e19a06a84bcebd83101cfc8f65d933701f860f4717bf9b1287e46f
    • Opcode Fuzzy Hash: 088d681940e04da477f785b2bbe99dbe59d8cc7102cbb33f94b164d50eee713f
    • Instruction Fuzzy Hash: AE21CD21F0C6538AFB629F16A41967D76A0EF85B80F498037DA0EC7681DFACE9608301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heapiswspace$AllocProcess
    • String ID: %s=%s$DPATH$PATH
    • API String ID: 3731854180-3148396303
    • Opcode ID: 34f873565fd016488015724989cbd239f180fad801886fccff01315d739e6408
    • Instruction ID: cb9c35f0a3f21039ada32ee29c392458c938793dac565a29972a47d006a2a89a
    • Opcode Fuzzy Hash: 34f873565fd016488015724989cbd239f180fad801886fccff01315d739e6408
    • Instruction Fuzzy Hash: B8216D22B0D65781EE549F56E44027D27A4EF84B88F88813BD94EC7396DE3DE5A8C344
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcscmp
    • String ID: *.*$????????.???
    • API String ID: 3392835482-3870530610
    • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
    • Instruction ID: 9e76167517a1e7c24cd656666f880a586b15d1932f0c00181802d31459ad221c
    • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
    • Instruction Fuzzy Hash: 4411A125B28A6281E764AF26B44053E73A1FB84B80F185432DE9DC7B89DE3DE4A19700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: fprintf
    • String ID: CMD Internal Error %s$%s$Null environment
    • API String ID: 383729395-2781220306
    • Opcode ID: a21cc71c92a28a327d8f8da80eebadce277acf6e437ff25654f6a6615f0d9dc9
    • Instruction ID: 4a9c0557a5a0bf88ae48c4e572252686e229126ee61525efb656bce85ec0c577
    • Opcode Fuzzy Hash: a21cc71c92a28a327d8f8da80eebadce277acf6e437ff25654f6a6615f0d9dc9
    • Instruction Fuzzy Hash: 5A119E2290C64292EB659F15E9040BE6361EB44BF8F444333DA7DC32E5EF2CE4A9C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: iswspacewcschr
    • String ID: $P$G$=,;
    • API String ID: 287713880-3338425643
    • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
    • Instruction ID: 6cfe2d8c0cffc21897a89587457be01a6ab5c2282d32ae5ab366b1bc3ac532b4
    • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
    • Instruction Fuzzy Hash: 06F04F21A1C65781EA648F02E40017E66A0FF49F55B4E9172DA5EC3294EF2CE460C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE04F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: KERNEL32.DLL$SetThreadUILanguage
    • API String ID: 1646373207-2530943252
    • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
    • Instruction ID: 77f066ad304caf1719f6ae423f9eda9873b537e5d8f711e1c93b78c489829c69
    • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
    • Instruction Fuzzy Hash: 77011621E0DB0795EA648F12E89117C26A0EF49738F4803BBD53EC37E1DE3CA4A08309
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: RaiseFailFastException$kernelbase.dll
    • API String ID: 1646373207-919018592
    • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
    • Instruction ID: b1f94110006ba3581e607d4a5dd7ec11761bf233e7ae17e35f8de1ef9d3bc532
    • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
    • Instruction Fuzzy Hash: 68F03A21A1CB82D2EA218F12F48407DAA64FF89BD4B489176DA4E43B55CF3CD4A5C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD1130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$CurrentDirectorytowupper
    • String ID:
    • API String ID: 1403193329-0
    • Opcode ID: 75660f6856c69554ae932a378ce653c19d9fc1fbde94745acc7eff884b108f9d
    • Instruction ID: e9f5075b82b5d363117467560ba73f58fc3a7b119724f66ac7d4460135535e5f
    • Opcode Fuzzy Hash: 75660f6856c69554ae932a378ce653c19d9fc1fbde94745acc7eff884b108f9d
    • Instruction Fuzzy Hash: FF61AE32B08B828AEB64CF65D8402ED37A4FB86758F544236DE5D87B99DF38E460C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp$wcschr
    • String ID:
    • API String ID: 3270668897-0
    • Opcode ID: 22e468a1066d2a7b4628bd12889ba0c42cb96d54184fe1910575478c052ba21c
    • Instruction ID: c84afb28f057b28e2f944ad35814df40f1046ae1e3f11ce0801b5454d25da333
    • Opcode Fuzzy Hash: 22e468a1066d2a7b4628bd12889ba0c42cb96d54184fe1910575478c052ba21c
    • Instruction Fuzzy Hash: 96516C12E0C64381EB65AF12E4101BD73A1EF85B84F598137DA5EC72DAEF2CE9A5C350
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF6D9FD92AC), ref: 00007FF6D9FE30CA
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE30DD
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE30F6
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6D9FE3106
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ErrorMode$FullNamePathwcschr
    • String ID:
    • API String ID: 1464828906-0
    • Opcode ID: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
    • Instruction ID: b94e44e7061b6e8400ef56dbfa2cba3367d9ef405c3b4438a158a15a330f50b4
    • Opcode Fuzzy Hash: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
    • Instruction Fuzzy Hash: 38313521E0871282E7249F16B44407EB660FB89B94F54823ADE4EC33E1EFBDE8558305
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$DriveFullNamePathType
    • String ID:
    • API String ID: 3442494845-0
    • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
    • Instruction ID: 40923c59b46e00f2d70098740c4523c67175766ea52977389f6392fad10edc0f
    • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
    • Instruction Fuzzy Hash: 06316A32619B828AEB60DF21E8407ED77A4FB89B88F444136EA4D87B54CF38D655C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
    • Instruction ID: 2df8bd289411d597424f17ef1a528a11c8f5c2ed7b9d6b43688fbe7fe459295e
    • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
    • Instruction Fuzzy Hash: 4D41C236A1CB4285EA509F0AF88036973A4FB98758F904077EA8DC37A6DF7CE464C754
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File_get_osfhandle$TimeWrite
    • String ID:
    • API String ID: 4019809305-0
    • Opcode ID: d6e0d171c53f5369992abdeba5891b91cfcb4b54cba11b48034f7f063fb4038d
    • Instruction ID: 3fd03f55ce2f064e2d8edc70b02fb70849d931e1fbf9fd71ff73b11d2c16400e
    • Opcode Fuzzy Hash: d6e0d171c53f5369992abdeba5891b91cfcb4b54cba11b48034f7f063fb4038d
    • Instruction Fuzzy Hash: 06318421A0C74686E7A14F1594843BC6791FF4AB68F54523AD94DC7BE6CF3CD868D700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcstol$lstrcmp
    • String ID:
    • API String ID: 3515581199-0
    • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
    • Instruction ID: da46ce5846b9652b32d615c0324098869694c613185dad2a57088fc267809434
    • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
    • Instruction Fuzzy Hash: 0B21DD32A0C74283E661AF79A49413EABA4FB89790F156436CB5FC3A94CF7CE4648700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: File$DeleteErrorLastWrite_get_osfhandle
    • String ID:
    • API String ID: 2448200120-0
    • Opcode ID: 5318b056ea043fb93afd7df068f18b2bd02fbcfad57a2dcdf0d64c223e63ef0d
    • Instruction ID: de8b953eb50096511bb6ae60bdd880e10272e3225920844bea2c10f66eaf4fab
    • Opcode Fuzzy Hash: 5318b056ea043fb93afd7df068f18b2bd02fbcfad57a2dcdf0d64c223e63ef0d
    • Instruction Fuzzy Hash: 9B214D31A0CB4287E715AF11A44027DB6A1FB85B89F44417AE94EC7795CF3CE475CB05
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA001914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memset$DriveNamePathTypeVolume
    • String ID:
    • API String ID: 1029679093-0
    • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
    • Instruction ID: 210f17b599854c59c05387b75b2cb9925deab4729fd241a1a364eab643effe54
    • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
    • Instruction Fuzzy Hash: A3313A32709B828AEB318F62D8553EC67A4FB89B88F444176CA4D87B49DF3CD655C704
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocProcess
    • String ID:
    • API String ID: 1617791916-0
    • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
    • Instruction ID: aaac57db1b7ee0c69884da99052f2c58c2564b3b148cc823b9bc53bc10579187
    • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
    • Instruction Fuzzy Hash: 0221C865B0CB4286EA249F52B94007E7BA1FF8ABD4B489231CE5E83796DF3CE0158700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6D9FE3D0C
      • Part of subcall function 00007FF6D9FE3C24: towupper.MSVCRT ref: 00007FF6D9FE3D2F
      • Part of subcall function 00007FF6D9FE3C24: iswalpha.MSVCRT ref: 00007FF6D9FE3D4F
      • Part of subcall function 00007FF6D9FE3C24: towupper.MSVCRT ref: 00007FF6D9FE3D75
      • Part of subcall function 00007FF6D9FE3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6D9FE3DBF
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925,?,?,?,?,00007FF6D9FDB9B1), ref: 00007FF6D9FD6ABF
    • RtlFreeHeap.NTDLL(?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925,?,?,?,?,00007FF6D9FDB9B1), ref: 00007FF6D9FD6AD3
      • Part of subcall function 00007FF6D9FD6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6D9FD6AE8,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6B8B
      • Part of subcall function 00007FF6D9FD6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6D9FD6AE8,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6B97
      • Part of subcall function 00007FF6D9FD6B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF6D9FD6AE8,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6BAF
      • Part of subcall function 00007FF6D9FD6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD6AF1,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6B39
      • Part of subcall function 00007FF6D9FD6B30: RtlFreeHeap.NTDLL(?,?,?,00007FF6D9FD6AF1,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6B4D
      • Part of subcall function 00007FF6D9FD6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FD6AF1,?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925), ref: 00007FF6D9FD6B59
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925,?,?,?,?,00007FF6D9FDB9B1), ref: 00007FF6D9FD6B03
    • RtlFreeHeap.NTDLL(?,?,?,00007FF6D9FFEA0F,?,?,?,00007FF6D9FFE925,?,?,?,?,00007FF6D9FDB9B1), ref: 00007FF6D9FD6B17
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
    • String ID:
    • API String ID: 3512109576-0
    • Opcode ID: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
    • Instruction ID: 230acf5531939c248cb63c150c413b3bf7b5fdc196604f8bc2d25e353ac7e704
    • Opcode Fuzzy Hash: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
    • Instruction Fuzzy Hash: 3A216062A0DA8286EB15DF66D4543BC7BA0EF99B48F148077CA4E87352DF2CE469C350
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDAF82), ref: 00007FF6D9FDB6D0
    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDAF82), ref: 00007FF6D9FDB6E7
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDAF82), ref: 00007FF6D9FDB701
    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDAF82), ref: 00007FF6D9FDB715
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$AllocSize
    • String ID:
    • API String ID: 2549470565-0
    • Opcode ID: 8b7937c01b75b6a402f81ee33712f7103c51c9ba0582a0030a62d3f1dae91938
    • Instruction ID: 00697eb2e13e31f657c1c657d99a3e4d65afa4554d960dd75ee698bd3f43a44a
    • Opcode Fuzzy Hash: 8b7937c01b75b6a402f81ee33712f7103c51c9ba0582a0030a62d3f1dae91938
    • Instruction Fuzzy Hash: 8B215E62A09782C7EB258F11E48007CBAA1FF89B95B889472DA1E83754DF3CE861C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFCFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6D9FE507A), ref: 00007FF6D9FFD01C
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6D9FE507A), ref: 00007FF6D9FFD033
    • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6D9FE507A), ref: 00007FF6D9FFD06D
    • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6D9FE507A), ref: 00007FF6D9FFD07F
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
    • String ID:
    • API String ID: 1033415088-0
    • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
    • Instruction ID: b8bfd0871786d36a1acdf96d65080e5c095924b10dafca0d9be77c35efce0eae
    • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
    • Instruction Fuzzy Hash: DD11603261CA8286DA548F21F05417EB7A0FB8AB99F445236EA8E87B95DF3CD055CB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
    • String ID:
    • API String ID: 22757656-0
    • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
    • Instruction ID: 82b203da2dd388be9652abebce94524121bba523c6f508604b907b7fad9add85
    • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
    • Instruction Fuzzy Hash: 49119472A186468BE7104F24E44837D7AA0FB89B78F644375D62E873D5DF3CD4598B00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE9158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
    • Instruction ID: 1c42d9c759ae5debe5b636550093c5776aa795d4a0bdf4db43c68675cc5f5107
    • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
    • Instruction Fuzzy Hash: E021CF3691CB4285E6508F06F88036D73A4FB98758F500077EA8D83766DF7DE4A4C758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6D9FF5433,?,?,?,00007FF6D9FF69B8,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF56C5
    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF6D9FF5433,?,?,?,00007FF6D9FF69B8,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF56D9
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6D9FF5433,?,?,?,00007FF6D9FF69B8,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF56FD
    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF6D9FF5433,?,?,?,00007FF6D9FF69B8,?,?,?,?,?,00007FF6D9FE8C39), ref: 00007FF6D9FF5711
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
    • Instruction ID: 7366eb17fb2ae5f611a21e79bbaaff4f178104b9b4ca258a27df5447428c9162
    • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
    • Instruction Fuzzy Hash: 14114872A08B81C6EB118F56E4440ADBBB0FB8DF88B488126DB4E43718DF38E466C744
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode_get_osfhandle
    • String ID:
    • API String ID: 1606018815-0
    • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
    • Instruction ID: 20535a6be9ed9e2fd9b0cf561678771612d7c0a1920c7a1da438a4d5eab9a739
    • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
    • Instruction Fuzzy Hash: ABF03031A28A42CBD7155F11E84467DBA60FB8AB06F859275DA0F83395DF3CD018CB05
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06D6
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06F0
      • Part of subcall function 00007FF6D9FE06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE074D
      • Part of subcall function 00007FF6D9FE06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE0762
    • longjmp.MSVCRT ref: 00007FF6D9FECCBC
    • longjmp.MSVCRT(?,?,00000000,00007FF6D9FE1F69,?,?,?,?,?,?,?,00007FF6D9FD286E,00000000,00000000,00000000,00000000), ref: 00007FF6D9FECCE0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
    • String ID: GeToken: (%x) '%s'
    • API String ID: 3282654869-1994581435
    • Opcode ID: 0d50fbd59cb290ba3a7f099b8a3a031ee9f038d52b89f1901d18a5cacde82640
    • Instruction ID: bf9f00bf47899068cd7ed1d4f55b63c0884140655301f3f1db1695ade4ff2736
    • Opcode Fuzzy Hash: 0d50fbd59cb290ba3a7f099b8a3a031ee9f038d52b89f1901d18a5cacde82640
    • Instruction Fuzzy Hash: 0961B061A0D74386FB259F25A4542BD23A1EF857A8F544537DA1ECB7E6EE3CF4608300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA0010D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF6D9FDCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDA6
      • Part of subcall function 00007FF6D9FDCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6D9FDB9A1,?,?,?,?,00007FF6D9FDD81A), ref: 00007FF6D9FDCDBD
    • wcschr.MSVCRT ref: 00007FF6DA0011DC
    • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6D9FF827A), ref: 00007FF6DA001277
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocateProcessmemmovewcschr
    • String ID: &()[]{}^=;!%'+,`~
    • API String ID: 4220614737-381716982
    • Opcode ID: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
    • Instruction ID: 250eb7b7fe804ea56ba065763606aeb7967d202a2c359c169bd0d4fe179e200b
    • Opcode Fuzzy Hash: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
    • Instruction Fuzzy Hash: F371B371A0C2438AE7608F16A4806BDB6A4FB9879CF404277DA5DC7BD9DF3CA4618B04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6DA0008EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: memmovewcsncmp
    • String ID: 0123456789
    • API String ID: 3879766669-2793719750
    • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
    • Instruction ID: e800c0a7d6d7c0d3cb0956dd888789acd06fe05e4cf7d4605cacfcb7cab5e1de
    • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
    • Instruction Fuzzy Hash: 5B41F322F1CB8B81EA258F2698006BE6294FB45B98F449172DE4E87786EF3CD5518384
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FF9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FF97D0
      • Part of subcall function 00007FF6D9FDD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD46E
      • Part of subcall function 00007FF6D9FDD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD485
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD4EE
      • Part of subcall function 00007FF6D9FDD3F0: iswspace.MSVCRT ref: 00007FF6D9FDD54D
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD569
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD58C
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FF98D7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
    • String ID: Software\Classes
    • API String ID: 2714550308-1656466771
    • Opcode ID: d66e77e282f526cdab360848653042cb1799c396fd656979a78128508030fc96
    • Instruction ID: 0b6dce610d4ae305d9a983682d307d469b6db51662bbc86c6bdac9938048ab2f
    • Opcode Fuzzy Hash: d66e77e282f526cdab360848653042cb1799c396fd656979a78128508030fc96
    • Instruction Fuzzy Hash: F541C322B19B5281EA00DF16D44547D63A5FB84BD4F908232DE5E877E1EF39E8BAC340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FFA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FFA0FC
      • Part of subcall function 00007FF6D9FDD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD46E
      • Part of subcall function 00007FF6D9FDD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6D9FDD485
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD4EE
      • Part of subcall function 00007FF6D9FDD3F0: iswspace.MSVCRT ref: 00007FF6D9FDD54D
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD569
      • Part of subcall function 00007FF6D9FDD3F0: wcschr.MSVCRT ref: 00007FF6D9FDD58C
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6D9FFA1FB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
    • String ID: Software\Classes
    • API String ID: 2714550308-1656466771
    • Opcode ID: 40e265c1ad5cb419bc37e3f74a7831dec97f4f50f637fb390f268ed2376e0e1b
    • Instruction ID: 53873fc40b11919c91878ce45e0054f7159d2aba0ee7c92e17ae7fe8f066d315
    • Opcode Fuzzy Hash: 40e265c1ad5cb419bc37e3f74a7831dec97f4f50f637fb390f268ed2376e0e1b
    • Instruction Fuzzy Hash: CC41B122B19B5281EA00DF16D44543D73A5FB85BD8F518232DE5E837E1EE39E86AC740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: ConsoleTitle
    • String ID: -
    • API String ID: 3358957663-3695764949
    • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
    • Instruction ID: cfa77096b20d5dd4470748c9d12aabd2621c80ef2dfa4f5c60be2a74f0edac13
    • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
    • Instruction Fuzzy Hash: 30317E21A0C74286EA14AF12A8440BC6AA6FB89B94F594177D91ED7BD6DF3CF461C304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmpswscanf
    • String ID: :EOF
    • API String ID: 1534968528-551370653
    • Opcode ID: 371c5ed1d04bc6378da742994009ca7237cc8b6e5efafef9a14f685808df8ab2
    • Instruction ID: 7b9aba09e30461b12abf7fb92c8c2150b1042742d10b100f157b2a4257ef0f66
    • Opcode Fuzzy Hash: 371c5ed1d04bc6378da742994009ca7237cc8b6e5efafef9a14f685808df8ab2
    • Instruction Fuzzy Hash: 0E31AD31E1DA438AFB659F16E8402BC72A1EF45B54F484033EA8DC7292EF2CE961C744
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FD3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp
    • String ID: /-Y
    • API String ID: 1886669725-4274875248
    • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
    • Instruction ID: 69688070732c545206390493ecaac1fe88c78a1355c08943eebfc9d032ecb1df
    • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
    • Instruction Fuzzy Hash: F5216066E0876681EB209F0695402BC76E1BB84FC8F458073DF9997794DF7CE8A2D304
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FDB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: 3$3
    • API String ID: 0-2538865259
    • Opcode ID: ddd87971df706f46a8d232553329da211c0b0389ae935901d5995e82db34f2bd
    • Instruction ID: 8664207e28527204cc730c6243e85ed41ca66af20e733db406645eb8d3429444
    • Opcode Fuzzy Hash: ddd87971df706f46a8d232553329da211c0b0389ae935901d5995e82db34f2bd
    • Instruction Fuzzy Hash: 22012971D1E5838AF3158F64D8842BC3660BF8532EF9441B7C41ECA6E2DF2C74B49641
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF6D9FE06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06D6
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE06F0
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE074D
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6D9FDB4DB), ref: 00007FF6D9FE0762
    Memory Dump Source
    • Source File: 00000000.00000002.2888786103.00007FF6D9FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D9FD0000, based on PE: true
    • Associated: 00000000.00000002.2888770348.00007FF6D9FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888815173.00007FF6DA002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA00D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888831918.00007FF6DA01F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2888883522.00007FF6DA029000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff6d9fd0000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocProcess
    • String ID:
    • API String ID: 1617791916-0
    • Opcode ID: 7f6131ec27923fc47eb93a8029ce1e8351ae842096c6c33028bd98535f1c06b5
    • Instruction ID: cd9899572269d6362b93e2b939b94d8a53cfe541ce561c553a24dcba62019bb2
    • Opcode Fuzzy Hash: 7f6131ec27923fc47eb93a8029ce1e8351ae842096c6c33028bd98535f1c06b5
    • Instruction Fuzzy Hash: 1F417B72A0E74286EA258F10E4801BE7BA0FF85B84F988136CA4EC7795DF3CE561C744
    Uniqueness

    Uniqueness Score: -1.00%